23542300x8000000000000000109964678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:13.984{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3198C82E045286D1697D09C4D4142694,SHA256=A0300C07C966B319E69128BC4E7B7BF7F0C9AA8480972CFA729B36269E12CF87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916383Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:13.933{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9279A050F7EA4B68987CDDABAD82D6EF,SHA256=F2E36D9BAACB8975A96173BA12A84314FFB514F9D641F4C18CBDA493E69E23FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916382Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:13.246{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D8FA8E27BE7C9AD31FE0E637578264D,SHA256=DF317C216CD2B42D2898A995B45C654C0FE9A137B39D985F6EA3A2C997032B0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109964679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:14.984{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB695BE1E439CE5D26F2FFE72E2057B4,SHA256=9C839664596DDD07A55B8CA539B153C89423F41A847D70829E45382D388725CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916385Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:14.948{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCE7091A11DF215E23E21576A3FDEBBB,SHA256=B4432966D5D9D3D25A89ABD1AD07BC5E2BB66ABF99036FE9F44D6F3DBDD78A37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056916384Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:04.887{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local49958-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000056916386Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:15.964{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8376156A1A6FC0D9585A6C35EAB9BB9,SHA256=A806ED8F55DA6058BB94469A76AA205253FE77DA286960956500098CAF33C8E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109964681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:15.094{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=804BAAD362C4AAD6E95A8E4B9DB7035C,SHA256=CBD3FE74A8FDD3EE683CAB2D0B2D3D8D15F0E64F0B0950808EC147118E53E957,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109964680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:15.094{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=483268179FAC21D37673EAEDB8FD56FD,SHA256=DC98538A2EBB887B9D765B9DE3A1FF570016F8FF598E54C7A097CDC7651EBBA8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109964683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:16.125{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF2B7B094E5BD020E647394DF6E46657,SHA256=8AAB24FFDC6A1DDFAF46CA2D8FAA668E57AF36EE66F6997A39D9537762E1A695,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109964682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:28.294{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58650-false10.0.1.12-8000- 23542300x8000000000000000109964684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:17.125{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC103E455A05F35ED87D4B63ADB33822,SHA256=06008281CCC48179BFE99722E1822BF2D51E74BEE438F9556493859DA6750DCF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916387Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:17.198{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F4C0A7B833BF3ECFAC16542CC366283,SHA256=0331E73BF69E41323F7C792CAC8812441C0BBAAFDC2A191B0C52D1F15F13C4D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916388Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:18.323{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85F806089E7E31C2F3C94ADAFE5F697C,SHA256=C72468894E22B5FC2977E5EDB1D6D878FBCB5F796DF1E4BF5F92C6146757AB30,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109964685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:18.125{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C0C1E7241FC7509A1CD49A1FFA10710,SHA256=085DF4258A1361F65BC28F7488885194CBEC0296BEAA2AF147107E206F3ADC1E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916389Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:19.339{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=813B0F16441EDA0E09C06308E0D8F71E,SHA256=30CCCA623CFFBF4BA0330CBA4A710CA6AAD40414FD7C1B63AB4C34A4B8FC33B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109964686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:19.125{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C235880BF87C1E085DC967174C43785,SHA256=E9F1CF72C53B78D006505F8B8BF65C8BFED20B711210484853356296CE65AF61,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109964689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:20.125{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB54372499458795581EB9754DC298D1,SHA256=6BC4578ABA58F08EA971E2A0C90078CFF316C930AB279CC02C96A63160399980,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056916391Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:10.074{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local49959-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000056916390Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:20.354{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27AA598D8C156B233CF560DD865661E3,SHA256=1DDE2F094B338D4569A8C13EB8A06C6E9303CFA5DD85E23BF9669153AFF5E403,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109964688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:20.109{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FBC92907B41F40873BCEA9C1F95693B,SHA256=F4C49D6AE22B0B0E6762A7AAF2B16FD638D2CFD4D69FB4AE080E81210D66EFD6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109964687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:20.109{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=804BAAD362C4AAD6E95A8E4B9DB7035C,SHA256=CBD3FE74A8FDD3EE683CAB2D0B2D3D8D15F0E64F0B0950808EC147118E53E957,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109964691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:33.325{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58651-false10.0.1.12-8000- 23542300x8000000000000000109964690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:21.141{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=208A7FA1362A5E26EC79D40294F0E680,SHA256=1677BBD3BB01541375CA4EFE7A4E77B3CC70CBD2E93741E01FCA9EF07D600552,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916392Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:21.370{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F38A6238EBFFC96F41DC83985811AE27,SHA256=A7F8153A4C08B036F0AA0F4AE7BCCAF05FA6805E4103FF3A0B0D68F2ECB7A871,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109964692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:22.172{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1594F13A98EC3AE4D281A49C8228D3FB,SHA256=D8B5DE48DE171A64B17CA96660F7860AADB6BECA893851A4FC336BA93245FB8B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916393Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:22.385{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FFA78A63EF539E31F38AB4B4B198E02,SHA256=6463227853F932A7FE199A2A646342DD955814E6971AA0C128AF3C4F62ABDBDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916394Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:23.385{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C7423EEFCA547A96DAE46DD91E78057,SHA256=F6E3E46AB2156647ABE018CA4EBB665973BD2DA396DDC09623AA215D31FB6A19,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109964693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:23.250{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE64B792B03F3CE24061F0E58D6205AD,SHA256=0619AE9A719382287F2D29B629FCD6C80CF18A2C48144C10BEF4B698E7D16B14,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109964695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:24.469{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FBC92907B41F40873BCEA9C1F95693B,SHA256=F4C49D6AE22B0B0E6762A7AAF2B16FD638D2CFD4D69FB4AE080E81210D66EFD6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109964694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:24.328{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A02A0D3A12E84727CF724C3173093386,SHA256=43E80075C50BAB565A504318235171187DC534A8CA883056B19540351999EF2F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916395Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:24.401{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADC730C2E9F38CBEA20465A2D33AFA42,SHA256=92AD20824B2FF7D13D667ED5F86ABAB989D65C692C96E3F625F0898D09951475,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916396Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:25.416{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=742A1A507EA0708C9AA4F19F50E5B5B1,SHA256=2EE12735D6F4DB7B14E74C9705550068A8A283797811C56C45C7EC79167F7D9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109964696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:25.359{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A2A7D9D29523F7904A4AFAE88DFAB43,SHA256=012F2E33C29C1D8208A4552103DCE8611EC4D0AE053CCA1E232F5EEC895BA39F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056916398Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:15.996{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local49960-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000056916397Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:26.432{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=072B5AC2BAA97DC66ADD63776085DB75,SHA256=390DD1D38490EE533AA549CE43EA5BD4ED4B553DB5586286B82BAD21661E159C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109964698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:26.359{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCD852D1C49B44AB9105436DCA672D3E,SHA256=3E21EF7073CD4F8CAB471E6D0795A918E4DD3F693FAB6331CF9A38F1734384DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109964697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:26.125{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=644F88D6196CF5ED4132874BFD540A5F,SHA256=F2175360B15CD3C4EC6E9658BD6E47BCBF2B75491A27C1AEA3BEC4EEC0D0CBEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916399Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:27.447{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A766025F4EEEEEAB2B057AC2C1F96BDA,SHA256=85351640E0245C96FFCFC411018240F485F80B5004D045C0A9265CC9A0F4C66F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109964700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:27.391{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A828902357EE64D9A52EE42F4E349D2F,SHA256=2F0F4BF0F444ED508FB845CCCA394121DD7D70A1C006EE26A540DF36BBB59DBD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109964699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:39.309{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58652-false10.0.1.12-8000- 23542300x800000000000000056916401Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:28.449{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7408F02C790C90C99998B214855BD78A,SHA256=4DA34D0506EAD7F9A6010B4A79BA6CBE86677DD8B4B7D55E9A5DCD7BB3B9ABB4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109964701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:28.624{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B4ABCDDB2914A598014D8101E195AD1,SHA256=BC1782503C151AFBB238D9710D56131731055CBEB644D798F2B09138AEB5AF72,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916400Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:28.150{B81B27B7-2345-6193-2800-00000000CB01}2264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109964703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:29.640{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75B530297C3D8788426867EF70487327,SHA256=E666A09384AEC35AD7E263D6BED2BCFFFE40CD1741A1936920DE066BC7EF4E06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056916403Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:19.965{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local49961-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000056916402Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:29.468{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF26C8B81DA128D0B9FA39FE04B6D520,SHA256=433AC46622E68AF734654B59F345A12849315DAD871B1558E55EB503F52401A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109964702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:29.405{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02BDF958CC0AE257A6F2FF8459C61338,SHA256=EB42B7E333F23E5C089095E1C7A39DD1E5B9C35FA88A76EA43F95CA3EE31B28D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109964704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:30.811{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4AC8597FC1FCAD488D7220FB79BFDD9,SHA256=9E8C2384233919DB5C1CE602C3169654774E99B3FF5C1BD99E21E5EB8861B63B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916404Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:30.480{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB2826EE0784400AF482F07BAFFAAF6E,SHA256=EE25804B7F8AB5A8452762656BBE92A6794D044A1867E49AC24AC6A67313A8AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109964705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:31.843{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A82E44F93EF990D008DD00CF5F2D3FA2,SHA256=A286D23E2CC5EBF52FA46034B7978699DE447416AFC088377AED6F1E2F126ECB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056916406Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:21.936{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local49962-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000056916405Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:31.527{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3895A4C0D17417D4EC1B3D703272A3F3,SHA256=7433F5C7AC35C8470C2348A5B9CC57A9CD39A3E39F15578E037AC5D05626D5AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916409Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:32.668{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11BC9643C01B2C40DEE3F9826B8C01AD,SHA256=CCFB7AED7B962983646225EE993D748EA503AC53F79BF94A967FA352ADA72C20,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109964708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:32.858{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83CB71DD4E50ACE6F5DE9BBA0ED6964C,SHA256=C67DBEBD847CB0B61888F4377D4240036EE67BF1A95C1174C82E5D8FC3BFB0FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109964707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:45.355{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58653-false10.0.1.12-8000- 23542300x8000000000000000109964706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:32.155{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=973B1133F0BFC9F1371F9BE94496A74D,SHA256=C82EA8F6AF5D32D6B071C0675CD8EBAFFE98517525A70F4A92BD3ACD7F0B6BE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000056916408Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-16 03:30:32.590{B81B27B7-2344-6193-1300-00000000CB01}720C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7da9a-0x4f980941) 23542300x800000000000000056916407Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:32.543{B81B27B7-2344-6193-1600-00000000CB01}1104NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\DeviceMetadataCache\OLDCACHE.000MD5=6EE37F99E207C5DC0C816D0B99775752,SHA256=A47A47ACCBD8986B6AD86AD8A3D2E88F4F5B9668E5838254FBDDB61D7EBE6FAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916414Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:33.683{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A5F17D89DB7A6E5CC8DCD12CEEE11757,SHA256=430E9AB193A3E5B0A6F8E76F1472E1449F6E78155B7C4D33F90677F12FD46384,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916413Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:33.683{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F58312184D5F2F8460DA05973C25FACA,SHA256=12E649BE675C1C5FAB185CD547FF7174D8BCBB5FD3D32CED65421A609EDD7635,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916412Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:33.683{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=0DB41E1885E2A18B893862870FFE84FE,SHA256=4F470322DC69E6B028972F7F674D31F89744FA357B43513CC32EB8DDF446F2F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109964709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:33.858{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75540BA4AA5F1D4B47B34471FC57E2F2,SHA256=8BC07F34D374D5ABBBFCA9C940B5183D6D30F3EE7AFECB432D118D041D3D9709,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916411Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:33.636{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B05A3AA9C6EF00257500AD2912372BF9,SHA256=2EF613F61613D3DEDEA323835132234FD95A5899D1E16B577242A6570BB74AE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916410Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:33.636{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CFE446698233D4B17457602EA0AF259,SHA256=BE6DF9815EF082402549D13B4A0573CBE1A6AF6906288298CA30C50F7A538D5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109964710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:34.921{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53CD27AFB3105E434653459D365BBFC9,SHA256=D7748F6596AA744B0E42CBF3EEBB10E36768E48DEE49AD8F57BF8D7ECA01A69E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916415Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:34.699{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B4E5323BE1EFF0D4B4D278E64E0876,SHA256=1842DB3F52FA34CB0A51B7616244016A0FE78950CC3C2CBE9621C352480157DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109964711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:35.936{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BBB060C2ACA3F44601082129A4C10C3,SHA256=E2B9D0A5424CC6593BAB0E400A14DC02F004897A008FD46567A77DE2C2061391,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916416Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:35.714{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EE6F56879C3F4FEA0F5C8E7C2A90FC0,SHA256=6CA3E8C8798C2EE990651EF5E0265C648420CE0D6E636ABCC439A92A4FE4FCB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056916418Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:27.061{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local49963-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000056916417Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:36.730{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6586DCD8B6E3A7F0E71242DA21F0432F,SHA256=9ED0A12B14934EACA7A40C3318385528ACF7C09945F050DD03A79F4BBF768417,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916419Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:37.777{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B467F43FA33559205D6DDE003B721C1,SHA256=0D847CCCD8B116A7FE9D21409C693300D5FA80C15255F8E8C44D2E36500BBE4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109964714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:37.374{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62EBAC270B79D1C3C4B816E45E3A4FF0,SHA256=A8E0C8AB9CD36B27578D6C1A92E592AEDE503085017A988E30296D13AAE4ED3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109964713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:37.374{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB9255CC337615EF34E073652E931D5E,SHA256=3A33F4883A9E445CD101B79731B179003B316B05DFCA1E354D74616331CAF448,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109964712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:37.061{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76CF2550D1A2EB4C847BAC66CD4AFE98,SHA256=54DF19376B24D5051C0C07274F8D616D607548292C614DBEE90C4B7E102E5BC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916420Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:38.777{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEBCEE0204C0C501A5020B12215DC793,SHA256=B99BD5F0185F7884A76E6A5E541BC4C5ABC77A816DB4FFC4AC21F779405CB25A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109964716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.434{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58654-false10.0.1.12-8000- 23542300x8000000000000000109964715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:38.140{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B34CBA90F7C9625CE9F8B4A07086857B,SHA256=EE37F119EE4F97582CD2429EDC1D43CC57D88DFA844B92B7E1148D48647C304F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916421Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:39.792{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CD2F15EF7A891E3B07000BF366DFB89,SHA256=A60EC3D88CF54658860F4D95710CBE0705CEC745F762C76AA647F849C70FFB5B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109964717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:39.155{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACE61FB3A7B2ED2D04034FE36BB0D784,SHA256=E940EDAFDC8E200806106C73C6E45B3A2793F2D3873C319076331201A5EC979D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916423Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:40.980{B81B27B7-2344-6193-1400-00000000CB01}716NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=459A58A1679E6B0BC084E3AACD38A6C0,SHA256=D7B08B0FF05DCB31A6408DC8E34D8469ADE58C2DB176AB3861AB053FAA880E94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916422Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:40.792{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF988CC406675AB3AB573C3CA27C3AF8,SHA256=DD0FFBF1B8229369A8CA24607663B4C90909351B61A8313A49332573AFDEF750,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109964718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:40.155{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50A4E81C784B672C32714C9BF5972619,SHA256=B350A85A130620C2631FA805550F52BB3EB4DBBB8655E238E05F9AF8119FD9B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916424Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:41.808{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21A3BCB6B4DD33C8E1F9E9D91F1FC879,SHA256=4D92B37A556CDE4B82F711EB213609222A44DB81C06919A2EE02BBEC7F3A5DCE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109964719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:41.155{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E41540AD3D7D661912C17C4DD0B687B,SHA256=2D2E7CE4176248DB2B7F47CAD2AFB05493B24E8F4FEFFFC38EC18F8F7A81C1BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916425Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:42.855{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACE7954062ECD7010BFD087158BDEDFC,SHA256=07990EAB8C836498CB8C2F4C84525FAF0462F2A0FF345A394DE6F69EBD14BEE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109964722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:55.449{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58655-false10.0.1.12-8000- 23542300x8000000000000000109964721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:42.343{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62EBAC270B79D1C3C4B816E45E3A4FF0,SHA256=A8E0C8AB9CD36B27578D6C1A92E592AEDE503085017A988E30296D13AAE4ED3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109964720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:42.155{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CB79A77ED724093C948010E055FB21B,SHA256=1B4847F6CAE4A580D2BAD8816E37AF8879181A88B2DDE20C3D19BC0CBF0A436C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916427Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:43.870{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D0D10A0E63A0D4091AD051A94BCF64E,SHA256=15CA924E15327F89DFE530BE92EABF2934DCFAB4C79676EE2A98C04C6B26A893,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109964723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:43.155{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04603C48BB68E0B6668FC2F1E60A995F,SHA256=790BADD57C006CDA37F5CEBE757B813B81BC063829B7A8C9D91909E0B81D0EC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056916426Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:33.061{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local49964-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000056916428Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:44.902{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76EC39B57DF84856F44172C76AD6DCAD,SHA256=2B365331AECD633F59BFA3395313D068C7BCB30A66A368BB9A5EA978758EC77E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109964725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:44.405{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B4C8CB7BF48DDAD2905C0261A227B2C,SHA256=530F68EA9A44F62B04E51E6EDA7681BF94050D8F7CBABF625AE3A9140ED166B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109964724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:44.155{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B3BADA88E725308AE9DEC8F81A7CC79,SHA256=37E40C5ED98BD3E830B539039DCBCC3818D3FD85B0ECE94B9771CC981EBA2399,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916429Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:45.902{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EE9B2EFDFE2F1ECACFF6D1F877BBA50,SHA256=CB8ABE4CC3F8650B07DFECC96446E020DC255168646495DB619D0771AC5FB9A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109964726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:45.171{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14ED23978C76C1BB48A1C1F45716CAF7,SHA256=1FE35DEEEDC44D364CA52C211E09B537BCA1275159CC45383F34E60995EC5133,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916430Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:46.980{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C642BBAFB266585C524F51FB8B1BDBE,SHA256=582C38862D3CAEC94AF493FE5D4CB95541A2A5DDA25DD6EB2CAC8DD34C85EB9E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109964782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.905{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000109964781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.905{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000109964780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.890{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000109964779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.765{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000109964778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.765{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000109964777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.765{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000109964776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.765{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000109964775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.765{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000109964774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.765{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000109964773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.765{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000109964772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.765{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000109964771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.749{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000109964770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.749{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000109964769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.749{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109964768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.749{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000109964767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.749{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109964766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.749{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109964765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.749{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000109964764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.749{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000109964763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.749{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000109964762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.749{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000109964761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.749{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109964760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.749{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000109964759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.749{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000109964758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.749{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109964757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.749{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000109964756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.749{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000109964755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.749{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109964754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.749{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109964753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.749{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000109964752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.749{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000109964751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.749{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000109964750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.749{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000109964749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.749{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000109964748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.749{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000109964747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.749{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000109964746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.749{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000109964745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.749{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000109964744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.749{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000109964743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.749{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000109964742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.749{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000109964741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.749{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109964740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.749{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000109964739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.749{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109964738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.749{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000109964737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.749{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000109964736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.749{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109964735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.749{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x8000000000000000109964734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.749{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109964733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.749{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109964732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.749{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109964731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.749{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109964730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.749{3BF36828-9797-6185-0500-00000000CC01}420436C:\Windows\system32\csrss.exe{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000109964729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.749{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000109964728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.734{3BF36828-25E6-6193-E098-01000000CC01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000109964727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:46.186{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7F89BE2A95470386366C7E3F0ACB2B2,SHA256=78EFB6D6C9B23C71D8CF1E7C42EF185F101129A6D3CA0BC8A54F5FBD407C2309,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109964889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.968{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=624D4B0B223F63B839ED0D91711D32F5,SHA256=DA478897903CA9D70C66C869FB30737BD204389C7A1591CD168D2E846AEDDB77,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109964888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.921{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000109964887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.921{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000109964886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.921{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000109964885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.921{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000109964884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.921{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000109964883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.905{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000109964882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.905{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000109964881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.905{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000109964880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.905{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000109964879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.905{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109964878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.905{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000109964877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.905{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109964876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.905{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109964875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.905{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000109964874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.905{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000109964873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.905{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109964872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.905{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000109964871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.905{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109964870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.905{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000109964869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.905{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000109964868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.905{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109964867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.905{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000109964866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.905{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000109964865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.905{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000109964864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.905{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000109964863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.905{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000109964862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.905{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000109964861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.905{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000109964860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.905{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109964859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.905{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000109964858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.905{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109964857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.905{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000109964856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.905{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000109964855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.905{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000109964854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.905{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000109964853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.905{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000109964852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.905{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109964851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.905{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000109964850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.905{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000109964849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.905{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109964848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.905{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x8000000000000000109964847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.905{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109964846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.905{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109964845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.905{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109964844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.905{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109964843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.905{3BF36828-9797-6185-0500-00000000CC01}420412C:\Windows\system32\csrss.exe{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000109964842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.905{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056916432Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:47.433{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59D66A8D638664160DED81323F20D826,SHA256=B3BA5C28167955D07B1D9DBDBE00E1AE13E5265D9E7861B21A15E69DAAAB8B41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916431Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:47.433{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B05A3AA9C6EF00257500AD2912372BF9,SHA256=2EF613F61613D3DEDEA323835132234FD95A5899D1E16B577242A6570BB74AE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 154100x8000000000000000109964841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.891{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000109964840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.733{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F87EBC38922F5D40D6DC19698FF6A03,SHA256=3AAAD0BDACF9AA8100BF837FFCA7BDC45DBB91B7AA9FC5FC658A3BF8F54419E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109964839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.515{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000109964838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.515{3BF36828-25E7-6193-E198-01000000CC01}70286944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109964837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.515{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000109964836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.499{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000109964835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.390{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109964834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.390{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109964833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.390{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109964832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.390{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109964831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.390{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109964830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.374{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000109964829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.374{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000109964828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.374{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000109964827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.374{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000109964826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.374{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000109964825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.374{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000109964824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.374{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000109964823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.374{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000109964822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.374{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000109964821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.358{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109964820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.358{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000109964819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.358{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109964818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.358{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109964817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.358{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000109964816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.358{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000109964815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.358{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000109964814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.358{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109964813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.358{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109964812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.358{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109964811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.358{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000109964810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.358{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000109964809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.358{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000109964808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.358{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000109964807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.358{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000109964806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.358{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000109964805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.358{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000109964804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.358{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000109964803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.358{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109964802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.358{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000109964801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.358{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000109964800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.358{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109964799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.358{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000109964798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.358{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000109964797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.358{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000109964796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.358{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000109964795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.358{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109964794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.358{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000109964793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.358{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000109964792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.358{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109964791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.358{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000109964790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.358{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109964789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.358{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109964788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.358{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109964787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.358{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109964786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.358{3BF36828-9797-6185-0500-00000000CC01}420412C:\Windows\system32\csrss.exe{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000109964785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.358{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000109964784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.346{3BF36828-25E7-6193-E198-01000000CC01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000109964783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:47.343{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4D84C492C2074606A0ED3E8656EF4D2,SHA256=58F3412801195C095972CC4C07BAFF15500C7E8C5206F48E9429C59A8F085C74,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109964946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.909{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=231E29D4A5967ADD0683A51A6E2CC4E8,SHA256=2C5D6D18E6DD2FED7F1A0440D48BB3E55672179F3831BFEF981D9C869F4565DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109964945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.737{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000109964944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.737{3BF36828-25E8-6193-E398-01000000CC01}3445500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109964943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.722{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000109964942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.722{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000109964941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.612{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000109964940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.612{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000109964939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.612{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000109964938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.612{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000109964937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.612{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000109964936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.612{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000109964935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.612{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000109964934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.612{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000109964933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.597{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000109964932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.597{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109964931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.597{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000109964930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.597{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109964929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.597{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109964928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.597{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109964927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.597{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000109964926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.597{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000109964925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.597{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109964924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.597{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000109964923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.597{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109964922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.597{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000109964921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.597{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000109964920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.597{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000109964919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.597{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000109964918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.597{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000109964917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.597{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000109964916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.597{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000109964915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.597{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000109964914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.597{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109964913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.597{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000109964912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.597{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000109964911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.597{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000109964910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.597{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109964909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.597{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000109964908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.597{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000109964907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.597{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000109964906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.597{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000109964905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.597{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000109964904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.597{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEFBB774EFDF82DE5B41109217617C23,SHA256=4E60F39CA9075B1605D75C69A600638BEE47068F589269D2CE26E682F7E81FCA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109964903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.597{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000109964902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.597{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000109964901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.597{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109964900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.597{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x8000000000000000109964899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.597{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109964898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.597{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109964897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.597{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109964896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.597{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109964895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.597{3BF36828-9797-6185-0500-00000000CC01}420536C:\Windows\system32\csrss.exe{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000109964894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.597{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000109964893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.582{3BF36828-25E8-6193-E398-01000000CC01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000056916435Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:38.952{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local49965-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 13241300x800000000000000056916434Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-16 03:30:48.593{B81B27B7-2344-6193-1300-00000000CB01}720C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7da9a-0x5921fc8c) 23542300x800000000000000056916433Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:48.027{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DCFFFB3AA679A8A32A466644604E5A9,SHA256=D9ECC1894E40392469120C9363D97FDC75C89EEF329F6DFD7510D3552E2E1832,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109964892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.061{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000109964891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.061{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000109964890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:48.061{3BF36828-25E7-6193-E298-01000000CC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000109965052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.987{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000109965051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.987{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000109965050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.987{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000109965049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.987{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000109965048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.987{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000109965047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.972{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000109965046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.972{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000109965045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.972{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000109965044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.972{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000109965043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.972{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109965042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.972{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000109965041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.972{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109965040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.972{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109965039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.972{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000109965038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.972{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109965037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.972{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000109965036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.972{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000109965035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.972{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109965034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.972{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000109965033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.972{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109965032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.972{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000109965031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.972{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000109965030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.972{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000109965029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.972{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000109965028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.972{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000109965027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.972{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000109965026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.972{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000109965025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.972{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000109965024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.972{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109965023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.972{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109965022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.972{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000109965021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.972{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000109965020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.972{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000109965019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.972{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000109965018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.972{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000109965017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.972{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109965016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.972{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000109965015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.972{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000109965014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.972{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109965013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.972{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000109965012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.972{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.972{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.972{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.972{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.972{3BF36828-9797-6185-0500-00000000CC01}420536C:\Windows\system32\csrss.exe{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000109965007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.972{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000109965006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.957{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000109965005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.675{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E0F1B676A369312F6B32A4BDDFDCF7D,SHA256=A1AF4F084CA3BBCA37C6381477959E024AE87F56C842E5290D793A1EA1E3D0AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109965004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:01.465{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58656-false10.0.1.12-8000- 23542300x800000000000000056916436Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:49.046{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A33EA2B3C4A7F39B3C175C9F75A2131,SHA256=AC44F68935CB148B1F5134654426D76B8DEA1EB5286249D6DB18BDBC8D8C8F8B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000109965003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.440{3BF36828-25E9-6193-E498-01000000CC01}39847048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109965002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.440{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000109965001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.440{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000109965000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.425{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109964999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.425{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109964998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.425{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109964997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.425{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109964996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.425{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000109964995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.315{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79D43CEFF8B5F7DB654ADBBCF27EA199,SHA256=4FD5AC968B1DB0135FD5723ADBDE298C82D5310AD485CEA102FEA2E657E4D377,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109964994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.300{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000109964993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.300{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000109964992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.300{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000109964991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.300{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000109964990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.300{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000109964989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.300{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000109964988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.300{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000109964987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.300{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000109964986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.284{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000109964985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.284{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000109964984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.284{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000109964983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.284{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000109964982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.284{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000109964981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.284{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000109964980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.284{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000109964979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.284{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000109964978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.284{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000109964977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.284{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000109964976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.284{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000109964975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.284{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000109964974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.284{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000109964973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.284{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000109964972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.284{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000109964971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.284{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000109964970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.284{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109964969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.284{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000109964968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.284{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109964967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.284{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109964966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.284{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000109964965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.284{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109964964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.284{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109964963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.284{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000109964962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.284{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109964961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.284{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109964960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.284{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109964959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.284{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000109964958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.284{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109964957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.284{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000109964956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.284{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000109964955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.284{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109964954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.284{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x8000000000000000109964953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.284{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109964952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.284{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109964951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.284{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109964950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.284{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109964949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.284{3BF36828-9797-6185-0500-00000000CC01}420412C:\Windows\system32\csrss.exe{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000109964948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.284{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000109964947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:49.269{3BF36828-25E9-6193-E498-01000000CC01}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000109965111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.940{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A174695760395F7B723220154FB838B,SHA256=5CBEA2EE7286071A98E2F1F0FA19D22E99BBDF5B7EF026FF7317378351C9DAC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109965110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.800{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000109965109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.800{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000109965108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.800{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000109965107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.675{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000109965106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.675{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000109965105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.675{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000109965104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.675{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 23542300x800000000000000056916437Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:50.046{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC28E782ED84D56D017275FAD5540BA7,SHA256=77117106D7A904D35BF393EA79FBB69E11761721D41E8136CE63D3DF7240AE63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109965103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.659{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000109965102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.659{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000109965101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.659{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000109965100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.659{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000109965099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.659{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000109965098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.659{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109965097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.659{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000109965096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.659{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000109965095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.659{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000109965094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.659{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000109965093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.659{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x8000000000000000109965092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.659{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000109965091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.659{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109965090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.659{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000109965089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.659{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000109965088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.659{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000109965087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.659{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109965086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.659{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000109965085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.659{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109965084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.659{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000109965083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.659{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000109965082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.659{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000109965081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.659{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000109965080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.659{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000109965079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.659{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000109965078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.659{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109965077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.659{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000109965076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.659{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000109965075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.659{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109965074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.659{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109965073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.659{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109965072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.659{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000109965071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.659{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109965070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.659{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000109965069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.659{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000109965068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.659{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109965067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.659{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x8000000000000000109965066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.659{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.659{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.659{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.659{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.659{3BF36828-9797-6185-0500-00000000CC01}420436C:\Windows\system32\csrss.exe{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000109965061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.659{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000109965060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.644{3BF36828-25EA-6193-E698-01000000CC01}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000109965059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:03.360{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local58657-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000109965058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:03.360{3BF36828-97A9-6185-2800-00000000CC01}2876C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local58657-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x8000000000000000109965057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.190{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DEE19071695FA05A09B8BDF94E129BA,SHA256=5F77A9213B69F207681C5BD7FC885AF00F871D0B27ABBB816B13AE7D8BE89ABD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109965056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.112{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000109965055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.112{3BF36828-25E9-6193-E598-01000000CC01}62722388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109965054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.112{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000109965053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:50.112{3BF36828-25E9-6193-E598-01000000CC01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000109965113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:51.722{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FD4853B444DD8EA3AE237C8387D0AEB,SHA256=5EB9A6F05F3AA3C1DB2BD37B1FFD3D2E42D90D20DDF9F555095CE626F8517C6B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916438Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:51.093{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D2C30A0E22150652251E086218647D,SHA256=30BC9D4085A84BFABDCB05404E376F17D56919F18B51072C9B5484F5427D29B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:51.659{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A65B77A8AC520E5773ED2125364B321C,SHA256=E4932A18E5168C3B1ECC71A252F36DE6E791EC5B56BB915D9E86385BDB6B14D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:52.831{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C697BA4BA18A108356B56CC28D173D74,SHA256=D51FA52FDA5B969426DB3B994D4D42794C5C22313674504290BCF40C4146042A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916439Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:52.109{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B2E65FC5EFBBB2F69778B47B72E729,SHA256=1D44A8A3EE3BA7CBC323E066DA0B71F10F1475ECB5AA824CAEE34222F6B85332,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056916441Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:44.051{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local49966-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000056916440Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:53.126{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06849C72721EADC983FD23905D95BA5E,SHA256=62DA3E7484BCDA7C49ECBDB80675E17378A0395DF73E1292A1D561A86CBD5FE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056916451Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:54.404{B81B27B7-2344-6193-1700-00000000CB01}11761260C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916450Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:54.248{B81B27B7-2346-6193-3000-00000000CB01}32043224C:\Windows\system32\conhost.exe{B81B27B7-25EE-6193-1201-00000000CB01}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916449Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:54.248{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916448Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:54.248{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916447Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:54.248{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916446Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:54.248{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916445Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:54.248{B81B27B7-2343-6193-0500-00000000CB01}416780C:\Windows\system32\csrss.exe{B81B27B7-25EE-6193-1201-00000000CB01}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056916444Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:54.248{B81B27B7-2345-6193-2800-00000000CB01}22644024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-25EE-6193-1201-00000000CB01}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056916443Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:54.249{B81B27B7-25EE-6193-1201-00000000CB01}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-2343-6193-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056916442Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:54.139{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37B1FC2C3391D5D1EB9C056A9E22AF43,SHA256=D6B677FC2C0E5A3378CE5C0273DBD426A35D3CC99A836B7CB5C5122D2E2EC945,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:54.159{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A2E130859109CAB27A9094D567C5639,SHA256=E4B087D1998A8215D1375FCC3203B95665190C7E1D65B8A4D000C912B317B829,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:54.003{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9B901722D0000B51F825E18AC012F66,SHA256=D976AFD3BD38317A4E359CC02F7FA109BA0CD77FE539780622AE8B904D0B19A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056916471Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:55.970{B81B27B7-25EF-6193-1401-00000000CB01}56923836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916470Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:55.814{B81B27B7-2346-6193-3000-00000000CB01}32043224C:\Windows\system32\conhost.exe{B81B27B7-25EF-6193-1401-00000000CB01}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916469Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:55.814{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916468Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:55.814{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916467Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:55.814{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916466Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:55.814{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916465Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:55.814{B81B27B7-2343-6193-0500-00000000CB01}416536C:\Windows\system32\csrss.exe{B81B27B7-25EF-6193-1401-00000000CB01}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056916464Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:55.814{B81B27B7-2345-6193-2800-00000000CB01}22644024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-25EF-6193-1401-00000000CB01}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056916463Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:55.815{B81B27B7-25EF-6193-1401-00000000CB01}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-2343-6193-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056916462Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:55.251{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A766AA87E7BA8C5D0BC042B2D2EDE36,SHA256=BEF77AB33287132CF0CC0C452C3C56B583BBE01347FFD729E99DCD0657A32F09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916461Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:55.251{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59D66A8D638664160DED81323F20D826,SHA256=B3BA5C28167955D07B1D9DBDBE00E1AE13E5265D9E7861B21A15E69DAAAB8B41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916460Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:55.236{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA03E9B986A75BA868A41823192F7E4E,SHA256=2E7640F4FB129542CF9233E9DC932BF8D85B584D979F733C1FDE41B0F3FCDDA4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:55.706{3BF36828-9799-6185-1100-00000000CC01}424NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1C0E79EA317B982615636431E1118D9B,SHA256=F6B3EADF03F34915E792FF73164D9AA7DDCCC9AC42AF09A9F2DC18CE65D92C47,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109965118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:07.360{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58658-false10.0.1.12-8000- 23542300x8000000000000000109965117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:55.097{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CF0AFBF7A253F31DD24BFD18645DDB1,SHA256=106B089F7AF048CA547726EC90B8E292B4EE5DF1B8F09D54E0D6DC04DE2DB394,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056916459Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:55.142{B81B27B7-2346-6193-3000-00000000CB01}32043224C:\Windows\system32\conhost.exe{B81B27B7-25EF-6193-1301-00000000CB01}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916458Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:55.142{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916457Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:55.142{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916456Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:55.142{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916455Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:55.142{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916454Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:55.142{B81B27B7-2343-6193-0500-00000000CB01}416432C:\Windows\system32\csrss.exe{B81B27B7-25EF-6193-1301-00000000CB01}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056916453Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:55.142{B81B27B7-2345-6193-2800-00000000CB01}22644024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-25EF-6193-1301-00000000CB01}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056916452Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:55.143{B81B27B7-25EF-6193-1301-00000000CB01}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-2343-6193-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056916473Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:56.314{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A766AA87E7BA8C5D0BC042B2D2EDE36,SHA256=BEF77AB33287132CF0CC0C452C3C56B583BBE01347FFD729E99DCD0657A32F09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916472Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:56.236{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB7DFD2B6690F020A1ACC366B6F2F8CE,SHA256=EBE71BF832412ABA68C084FDFFDF3BC3DB2643A25E53ED879A6A1088BAD4A526,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:56.112{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07A28E2CA2A4E01FF90654564DFD512A,SHA256=01126A07BB04E2D7D6B59C78A0171736408C749D83AA24404B71B596F77B02DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056916482Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:57.532{B81B27B7-2346-6193-3000-00000000CB01}32043224C:\Windows\system32\conhost.exe{B81B27B7-25F1-6193-1501-00000000CB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916481Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:57.532{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916480Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:57.532{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916479Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:57.532{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916478Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:57.532{B81B27B7-2343-6193-0500-00000000CB01}416432C:\Windows\system32\csrss.exe{B81B27B7-25F1-6193-1501-00000000CB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056916477Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:57.532{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916476Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:57.532{B81B27B7-2345-6193-2800-00000000CB01}22644024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-25F1-6193-1501-00000000CB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056916475Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:57.533{B81B27B7-25F1-6193-1501-00000000CB01}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-2343-6193-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056916474Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:57.361{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24E2C19FD42D5ED06FDA8D1150251083,SHA256=DE5E9B84232651B7F5B2BE91D069754ABC040D018473D9A7E545404F16AF9211,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:57.112{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B8AF9F1CB7AB456FE60F1D1EEF2D912,SHA256=C4645349D2877F08DD0CB867781A73E78D5D8F52E0D3A7E17A527D0EF89D9E1D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:57.003{3BF36828-989D-6185-BF00-00000000CC01}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056916502Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:58.923{B81B27B7-2346-6193-3000-00000000CB01}32043224C:\Windows\system32\conhost.exe{B81B27B7-25F2-6193-1701-00000000CB01}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916501Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:58.923{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916500Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:58.923{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916499Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:58.923{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916498Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:58.923{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916497Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:58.923{B81B27B7-2343-6193-0500-00000000CB01}416780C:\Windows\system32\csrss.exe{B81B27B7-25F2-6193-1701-00000000CB01}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056916496Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:58.923{B81B27B7-2345-6193-2800-00000000CB01}22644024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-25F2-6193-1701-00000000CB01}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056916495Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:58.925{B81B27B7-25F2-6193-1701-00000000CB01}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-2343-6193-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000056916494Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:58.595{B81B27B7-25F2-6193-1601-00000000CB01}24845060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056916493Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:58.548{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0CB75BC133B1816592B35D49D7F9C7A,SHA256=0E88BFEF86C8F0E832C83E48A54999DCE8455C0C5B79A3349F4614CDA75A914A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916492Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:58.439{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=582658A171398B959CA24F12C9896F9A,SHA256=F725DAF1A72841E69A5A88693D70E45CD33E29E6D41FCAFE5AD4D78DA5062980,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109965125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:11.204{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58659-false10.0.1.12-8089- 23542300x8000000000000000109965124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:58.206{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A15D2ABCAAA16A7359DAE3F2C3CC57D5,SHA256=D430838DCB751275BC47C681E7D86262564E3B21C4BC9093927D1C54CF7E8D26,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056916491Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:58.423{B81B27B7-2346-6193-3000-00000000CB01}32043224C:\Windows\system32\conhost.exe{B81B27B7-25F2-6193-1601-00000000CB01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916490Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:58.423{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916489Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:58.423{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916488Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:58.423{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916487Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:58.423{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916486Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:58.423{B81B27B7-2343-6193-0500-00000000CB01}416432C:\Windows\system32\csrss.exe{B81B27B7-25F2-6193-1601-00000000CB01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056916485Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:58.423{B81B27B7-2345-6193-2800-00000000CB01}22644024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-25F2-6193-1601-00000000CB01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056916484Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:58.424{B81B27B7-25F2-6193-1601-00000000CB01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-2343-6193-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000056916483Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:58.001{B81B27B7-25F1-6193-1501-00000000CB01}48841228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000109965123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:58.003{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8928AF7DD265ED714E332D6C4EDAF8A,SHA256=EABC92C8C986EBD475019042F275D9FF781A00E5108F1CAEA24233C03A206227,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916505Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:59.642{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=155747E7D210D1BCC518DF0603622EC2,SHA256=EDF5811E4FE22A32CF2F3C33619F8B259244D44B6E63DE1CEB0A79869EFBA222,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916504Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:59.501{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E15F254601C60C37463BADB3938AD365,SHA256=E880C0601D9FF7E3880CBB05CBB730531A4E4F301F190455FF88CE6280A46A5D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:59.222{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23642F20B29BA5388B5D273D941EE42F,SHA256=C71472F3D0AF6D2411222FDF31256EE5262898DFC98DA3E0AC5F5D2FF60033BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056916503Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:59.079{B81B27B7-25F2-6193-1701-00000000CB01}56885988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000109965126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:30:59.190{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36FC21AE89DA033BF9DC6AAAD3F5400F,SHA256=DBFC0D016A601544A0957AF550EDF9612D409DFFFA3D3F9242FB0A615ACB5940,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916514Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:00.579{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02F0F38EE7E5077D070D9F00C308DFB7,SHA256=DC72626FBF71090FC18D3C5EB9027C0244C5138ABC064C713A97BA86D2FFD36E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109965129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:12.391{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58660-false10.0.1.12-8000- 23542300x8000000000000000109965128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:00.222{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E353D071209611330891B242117B941,SHA256=DFD3B0DF8C35706FB90CF7DC929D691FD8D25D01DBB5A6F827FA3EDB0C6BB95A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056916513Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:00.564{B81B27B7-2346-6193-3000-00000000CB01}32043224C:\Windows\system32\conhost.exe{B81B27B7-25F4-6193-1801-00000000CB01}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916512Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:00.564{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916511Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:00.564{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916510Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:00.564{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916509Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:00.564{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916508Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:00.564{B81B27B7-2343-6193-0500-00000000CB01}416780C:\Windows\system32\csrss.exe{B81B27B7-25F4-6193-1801-00000000CB01}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056916507Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:00.564{B81B27B7-2345-6193-2800-00000000CB01}22644024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-25F4-6193-1801-00000000CB01}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056916506Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:00.564{B81B27B7-25F4-6193-1801-00000000CB01}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-2343-6193-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056916517Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:01.627{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8551472952F6FF7D358157EDE74969D8,SHA256=C8BEF6B717C0794FDF97C0CA5AC7FC740E6FDC2D12D0F1B4D7630E8B02739A00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916516Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:01.612{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8D92A50E07A52902DCEE05BCDEFEC4D,SHA256=87BFB1EE4BDE6C805FE8625C345802D5982DEAB24E25841F5C1E56FFAFF6D359,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:01.222{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB11CCDD0E2E1C881A3F9B61F7049F08,SHA256=4A631F4FB1FF98FF5FF75BC16BA1DF70B7EAA43D4B90750CA661DB7165ED7E82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056916515Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:49.879{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local49967-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000056916518Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:02.626{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC8084FA6062671E30BF6EE7E3AC7EF6,SHA256=37E6AF5CF2D6336A2766803139401F5FCE03BCAF30227058E55EEA0413204EF9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:02.222{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D884166A18F68DCFDBA46047EB2D7BD4,SHA256=BF65B67992AAB6268DAAEB08D2A1CF73EE1186711D0E91EC0B31331BC02A1B2C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916519Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:03.657{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F3414D38DD52831C79F49C3A9943A14,SHA256=4E18F66FCF12517D390C18302F084267C5D22937FD937D25E95ED1D1C249A5A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:03.222{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F44D7D8DCC568B55E231BC5549AC8FFA,SHA256=B418669151018F5A65AFB1CF47CD6E2B315EF694466810D8F3C71EDF6E37022B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916521Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:04.689{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3C3F70481507ECEA3B2127535D3AF50,SHA256=30BAEF6FD5AD9AEF85E47FD9FC4C6488D5B995AD20296D1913535CEA960748E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109965136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:17.393{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58661-false10.0.1.12-8000- 23542300x8000000000000000109965135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:04.222{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E487B4FDDC4B9311EE104EB4F2105438,SHA256=3BAD9E5B345B3C3D6051AC08D05A2C43E0899AA2B764C20D89825348949EF7C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056916520Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:30:54.911{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local49968-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000109965134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:04.190{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB8867EDE896F18696B53592136AC92C,SHA256=0C0229DA636BABC89DA57843DDFE3F221726466AC113C25D5E667AB6C69CADC7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:04.190{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEEDD572EBB6DEDC5635EFC00F100DB7,SHA256=47BCC773A7406777A262D1106E86177996FBD6B96013AAC788F3618A2588FBFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916522Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:05.689{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89C2B85AAA36D29ED9C34448057E1DD9,SHA256=8EA16125D3FAECD5CEECBF68C37C94BFEE70C3EAB6726BDDC7FEC4210713E3D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:05.222{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=136C9BAD2B2441D49A0B1E7B7087A6C2,SHA256=7C6DF7738D08AD20303742CCD952AD70A0840B6B41F4F4B47BE197321E2A845D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916524Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:06.720{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84B78CDF30A431B16E3EE9580FFFE0F8,SHA256=DFC05678FFE4BB867B1CC22E11523C3E9D048C5835EC5F3E9C5EDF686FECF78E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:06.237{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF0411450FCE766AF636088921B7979B,SHA256=47B87FB6D57973736C96C8D1A8A7BE53354799498ADDA5F62F78ADB0383B286E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916523Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:06.689{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Windows\setupact.logMD5=E30E2753F7C87BBAB6314EEB520F0E45,SHA256=C51F45D8A76F1884E4C55D8EF93FECE0EF531F0D0A5EDB2733024CCFABF263B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916525Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:07.736{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA552C26F2304ADD2E5BE3F2F3A96DFB,SHA256=A872CF9844D4EA27B455CC78D8FE1C318925C7CDF1DE6F878A8BA45A0473DBA2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:07.331{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B54031DF94F6FD038FE735A68DE048D,SHA256=B924940FC1A01C46BE2DB0DB6993B506399184CFD879C1AF205D33D3B50802BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916526Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:08.871{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FF7E47F3D01C25827A94E382A069EC1,SHA256=CE1831BA86C83591BFE14FBAC525365DF2A8C9C79ACA7EC03A01A5614F0BCE26,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:08.515{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18FC13FDDCA9CBD3B2FDE73BC002AC9C,SHA256=82E4CFB04BA5FAEB87D9D3BA613C1890102756F81E02DC7B3891AD73EFFD38DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916528Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:09.886{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D61E548867D0610BF17774BEC91A56CF,SHA256=6C399233EA6752C24666687FECA8D3D026E399A95EC1AE5DB3D9886C1DBF40AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:09.528{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=345585F4DAC41A89FBF5BB626BA43D6C,SHA256=109DE9F331AF439D37259633B02B86A5479D252D0EA69EF009416D760C66F4B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056916527Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:00.051{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local49969-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000109965142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:09.419{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CC314632B986A6904ECAC9836979834,SHA256=0DCBEB4045100BE3E91D1DA7DD283FCEAA6279A87238F151680D6F930E1CA455,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:09.419{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB8867EDE896F18696B53592136AC92C,SHA256=0C0229DA636BABC89DA57843DDFE3F221726466AC113C25D5E667AB6C69CADC7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916529Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:10.902{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9400389EA8432B9909B10705E2C72F0D,SHA256=35AD24FF20FEB81C99E7CFCF319224CC39D65BA52AFCF560A30244DB91C26F77,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109965145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:23.307{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58662-false10.0.1.12-8000- 23542300x8000000000000000109965144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:10.657{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FADB4A8CE0A5BD3B53650AD645531828,SHA256=11306ED9FE220D97A32A5C50A5CB7BEAC57C1EA9774B4E1D51D00087DC1E150F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916667Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.996{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\OSProvider.dllMD5=4868187A2F176074DB7F35E356F74D4F,SHA256=84C8C4C67C808871A278254304D985533F67D44391840F43674FC829014E1B60,IMPHASH=82A4D833A82D441391A9AA3027199337truefalse - insufficient disk space 23542300x800000000000000056916666Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.980{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\OfflineSetupProvider.dllMD5=86B7E8438B1125C479FD275B1BDDB9A7,SHA256=47FAF8671B25A30D7BCC47AD35926D70DB633A181FA6C276479B4408A526E63E,IMPHASH=B8B4A188EFC4F12D33591C6D319B6F12truefalse - insufficient disk space 23542300x800000000000000056916665Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.980{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\MsiProvider.dllMD5=EA19239A85416A488360FA564D312402,SHA256=F21591336CD1A24EE941827620405FA34414C1C349216B4B8083ECD1FFF17C29,IMPHASH=33E1132923056DDEFB0521726DA5B987truefalse - insufficient disk space 23542300x800000000000000056916664Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.980{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\LogProvider.dllMD5=F7DB4F104DBB56DF5A156E7329E80112,SHA256=7C67EFAF44D1413576B4575B1A4C975BCB10B64BEF13E6756E895D4DB9E61AA2,IMPHASH=FB695172E8A76C56E97CE435F8ED0220truefalse - insufficient disk space 23542300x800000000000000056916663Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.980{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\IntlProvider.dllMD5=0082903881275179642AE83EFA720310,SHA256=7CCF1625E6FBE4DB16F12AC037E4236A3EF269DEE47A157C68374C867941F9E8,IMPHASH=CFB81BC5FF922F23D605A653700FE666truefalse - insufficient disk space 23542300x800000000000000056916662Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.980{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\ImagingProvider.dllMD5=EEB4AA36BAD26A2C6216A1FF3439B58C,SHA256=44A6679425039DC870C297294C4B3323F6FA9DE5C7D16D7D0AB7E1254AFC75D3,IMPHASH=0264D9B4BFE54732ADF0E29BC73BF280truefalse - insufficient disk space 23542300x800000000000000056916661Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.964{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\IBSProvider.dllMD5=11DE34FCDB75E79A920D3B491F3E7BF0,SHA256=6B7C7AD8B1AD522B27B2CC5E4F76F56ADE4495D7D46CE4F997A68954F072AF17,IMPHASH=C755896FA14213058E34639A28868FBCtruefalse - insufficient disk space 23542300x800000000000000056916660Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.964{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\GenericProvider.dllMD5=397ED660129D40927A27B75A4B8FAE2E,SHA256=EAFCECFE911DABB4531E1331DDF2E119DCBB6B7A887D70BDE737EA76BE10EB74,IMPHASH=F55EE75573C110804DE5E50ACEEC1B06truefalse - insufficient disk space 23542300x800000000000000056916659Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.964{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\FolderProvider.dllMD5=6428B4D0C26DB23E9478F039891CD5C9,SHA256=55126BB099785C2F9CD32A30991082C47D62C8231D570A9D8A6F3CC599B25EE1,IMPHASH=B2CC5EDD42A866F7CB6CAE42DB969187truefalse - insufficient disk space 23542300x800000000000000056916658Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.964{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\FfuProvider.dllMD5=E27BC7F808E72F08372BA3C40B4B6344,SHA256=927B194432046C0D2ADF7C7B71E4BE85602C4D00A5D6EDA9F9DB9924E1C3447A,IMPHASH=8580AF5C1871319D05329DB2E96A8146truefalse - insufficient disk space 23542300x800000000000000056916657Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.964{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\en-US\WimProvider.dll.muiMD5=CC3B15540DDB521A300BAFF0BF4F902E,SHA256=33C06CC037DF1EBB72A15BCC2E09BC89DFEF7DD94441C650FD3D0C833122002A,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916656Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.964{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\en-US\VhdProvider.dll.muiMD5=10536C56F02E68EBD13D0B2CE8665C6A,SHA256=06C3B71D251A8DD47D02EDBFBE84E0B6B1D67956DE4D3996031434CBAD728929,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916655Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.964{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\en-US\UnattendProvider.dll.muiMD5=B7E3676672BE6851EA13ADD879C2945E,SHA256=2D2D82EE842CD346B58DCAFAE6FEC46D491E0D15CFBE0D8964A4AB7F18C5AAB9,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916654Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.964{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\en-US\TransmogProvider.dll.muiMD5=D5D596B1102DA565C2ED1FAAC170E758,SHA256=B5DBB36E947FD64AAF22C53F0A9634C7D72D4CC270C055B67E020920BF806909,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916653Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.964{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\en-US\SmiProvider.dll.muiMD5=CAD746ED5AF63E7FC49ED4A5A3984629,SHA256=016C6071B04E6D7E12AD9B8A85C002320331E01ED62922C573A1AC43BA0DD919,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916652Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.964{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\en-US\ProvProvider.dll.muiMD5=70AFEC86B6CF677BF8D3C713CA3281FB,SHA256=C8579EC95A51EB663FFC6145F0998C2F1930A6B8146C84C0A9094BCA4E5195A7,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916651Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.964{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\en-US\OSProvider.dll.muiMD5=A464DFEDEA8520616AA9B2ACD166A77F,SHA256=54E985CFF256CEBE82E9EF3E814A5FDA9FF730BCB50265E9BA78DE65A4DE3F42,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916650Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.964{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\en-US\OfflineSetupProvider.dll.muiMD5=CED788DBD9D13D0490B2F642B0B051F6,SHA256=D5DBC0A52B598800EE14569859383525950B865F4816E47E2E73F79AA1C32A09,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916649Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.964{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\en-US\MsiProvider.dll.muiMD5=5AE9ABD6BB469F3AD7B3A4CCD40974BF,SHA256=C2CE66F2F218890AA76F8BAB68B4C0FDCED0688E694F912F3A5BFABFA6CDB5E7,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916648Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.949{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\en-US\LogProvider.dll.muiMD5=0D4519BC8EB58A006E4A5EB993C0DCCF,SHA256=DAFFE67521F9B4657FBFEF9585234CB39293F9B866C0D97D66F675037515BB51,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916647Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.949{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\en-US\IntlProvider.dll.muiMD5=16ACB74928BC55FD4AAC316F3B92E1D7,SHA256=17CB486CADB679C75A27BA6C76E2FE714F4B8DA845E6F795759517D6734F0BC9,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916646Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.949{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\en-US\ImagingProvider.dll.muiMD5=26F5BBF8D6EE90B4F47C18E93D1087FB,SHA256=F41738FEF7140176447ECF371B1117A485E48BA6F3E9AFAA8C4F883ABFAE62DA,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916645Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.949{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\en-US\IBSProvider.dll.muiMD5=0B09FE334215A8E736B2CF08A50D5204,SHA256=DCE9AD3B79F91BEBEDDFCD9E03F1557CB7C6114AC906081E9E046F807093CDF1,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916644Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.949{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\en-US\GenericProvider.dll.muiMD5=956B8B45B92321C0D5975EE9A6C5B773,SHA256=578541D71466CF61EF399023B34EDFCBD915142BE856534AD4D17D25E7CC9F3D,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916643Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.949{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\en-US\FolderProvider.dll.muiMD5=DC4E4C2800DC6D98F7893044A21D246B,SHA256=8B4CE62F4E4294E701193C7AE393EB5EB29AA45932D376CB1A03728A140096AE,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916642Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.949{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\en-US\FfuProvider.dll.muiMD5=5ECAD70AC2B3A95CBB42D6FE67D2F726,SHA256=C210389DBB9B7B4A802E4B0C3C708B6F55B086564A01E19CFB183B6AF916C30A,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916641Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.949{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\en-US\DmiProvider.dll.muiMD5=38C2A1560C340537C3AE0CE04BDF7EAA,SHA256=52B06DFD85FB5AB1DCE2BE665CA144B1AE6658F518D1623D9B44C347C482B064,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916640Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.949{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\en-US\DismProv.dll.muiMD5=BD7B77B3EE9A12FF3F5446ECDF80B5C6,SHA256=B972A0B2C4682E9074441B481BD886DE19B8DB3DBA401B88E980B154C14D5A7E,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916639Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.949{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\en-US\DismCore.dll.muiMD5=C901FF639EDFBBE710D6E5882F07CD24,SHA256=9BDA61D23DC50F9AFA82DA94B06B7B9C8229D5ED666D2F5270DAE13100815C27,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916638Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.949{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\en-US\CompatProvider.dll.muiMD5=A2A344CB32B6835744A36D877C952665,SHA256=A74D765B796638A921C4810D1712A08F7A37C9BA9E91F4DFDCB9727611C3D18D,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916637Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.949{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\en-US\CbsProvider.dll.muiMD5=179B34BE97A383AF3E757031E7DA964B,SHA256=ABD3824664D1336EE849D89BA178606CC1B1E23E173752D8093F34A5580FA8F4,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916636Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.949{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\en-US\AssocProvider.dll.muiMD5=386FE7AC95738A0CB6D25DEA662991F1,SHA256=22DC7317108A528BA92C853330598F628B93FFF27CAC34C2F501B806A75261D9,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916635Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.949{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\en-US\AppxProvider.dll.muiMD5=9FF5081115C2C21D9F85AF7EE6D2CC63,SHA256=107B10A8C1426F1C0D703F06832D740A4CFDCAA596FA0EA147A32A736A7A2A4D,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916634Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.949{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\DmiProvider.dllMD5=FC76385FF00D4A93618D842B41716D8D,SHA256=BBD49A49CFFA8411FFA91B02541F5F3B5333FD9055BC129DDD3B36EB005C34D9,IMPHASH=062B279D8ED4374A0CD0C84620F4BE4Etruefalse - insufficient disk space 23542300x800000000000000056916633Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.949{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\DismProv.dllMD5=8C7D97E22045AE402EA896F514CEED81,SHA256=76D3202E11BA22D277532A14CAE60E596975C0D8C34C7BE154F453EB1F7C37EF,IMPHASH=0247CB1C8FD55E43A448E359883057DBtruefalse - insufficient disk space 23542300x800000000000000056916632Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.933{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\DismHost.exeMD5=A59C22B77871CC18970038B7FA43826F,SHA256=CB84B51713BAD689ABB96560E57A71B276D4B28B1C09C7116EE85F5782A1B144,IMPHASH=734010D3430DBD2CA51B599924FE1424truefalse - insufficient disk space 23542300x800000000000000056916631Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.933{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\DismCorePS.dllMD5=FB88731B484D1FF4AFF5DB75A20799FA,SHA256=EA155388211E0C3CEF2C99BD5F341C9F93F1ECDA6F21096DB6F9DB2110686A52,IMPHASH=65E10DCEA11F7117C161DC7557B87689truefalse - insufficient disk space 23542300x800000000000000056916630Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.933{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\DismCore.dllMD5=F1AB58CACD95921A04225222D03CDEA0,SHA256=EDE89F377FD46F95639413411CDA072D9FF63E72A399B26AB4870094F145091B,IMPHASH=B7B56C790C8AB7134B0680D8DFE46658truefalse - insufficient disk space 23542300x800000000000000056916629Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.933{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\CompatProvider.dllMD5=E5C1D020198EBEC1D5ABA640C9A600D0,SHA256=A80FD2846E05AB491BDAAFCE8854A04549A852066B82B90D757D9B6A44ADA8C8,IMPHASH=2CDD615C09EED7B572606B2A0C0EFD2Ftruefalse - insufficient disk space 23542300x800000000000000056916628Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.933{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\CbsProvider.dllMD5=D4A64C7C50D0C6BE9F8770177E2264BF,SHA256=E6505F9DBE17DF9E7E52B5FE1720E1F6482B25D262A47A320CF438C5FD5A5797,IMPHASH=99D5DC4FF67AB12670853DD4E32E8358truefalse - insufficient disk space 23542300x800000000000000056916627Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.917{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\AssocProvider.dllMD5=56CB83B3454882509791FBA62832BC87,SHA256=5B01524CC03B6EB58CC9E0FF479014EAF89EE7FDE2791BFF871BC90274D200AC,IMPHASH=83F73507B4613B09C6FA825535D8A81Etruefalse - insufficient disk space 23542300x800000000000000056916626Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.917{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\AppxProvider.dllMD5=8F6792DF9EC54934B76A68B1D7B66ECA,SHA256=E57CB2D5CEC5E1354F4E31CD08ADA02FCAA0E2DEA4B28C8F61683BFA3E875C05,IMPHASH=F1558CACACA712554EBD5926B4B3FE52truefalse - insufficient disk space 23542300x8000000000000000109965146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:11.672{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51B36472945479FED09F47FC890D0A76,SHA256=DBDD86638F656D560566337D177D5EB335B596215B214F8E8C95923437A70BDC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916625Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.886{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-service-winsvc-l1-1-0.dllMD5=09934F0F7227B9489D117C26EC20CD14,SHA256=CBE408A0AFF90986A6A7DDF022F96302B4FADD08A0C3C166CAC7A64D6ABF041D,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916624Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.886{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-service-private-l1-1-1.dllMD5=484ED248F1A72C6E4E6F6C3F5A3339ED,SHA256=00E14515FE6FEBBF3C2CFC89A6F1A3D6F48B3E7A5EB08D50DADF69CE3F34CC47,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916623Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.886{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-service-private-l1-1-0.dllMD5=FEBE55EA884F3C1EE45ADE2734AA6BE6,SHA256=CD51DF334A600117133C9C8100DDE766D980456988FD333A40BE5A81C8092340,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916622Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.886{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-service-management-l2-1-0.dllMD5=0D45D811001E0A7683A2B7CA8A883874,SHA256=F44E2A85D7507159AE115C85C3497C57BE4ECB2D6ADDB30A534110266D56F92F,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916621Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.886{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-service-management-l1-1-0.dllMD5=C36912B3A28B06F5BB24FE9BE49DA4D3,SHA256=D737A832C0D595E8E52846C2D748B911D7155E372F43FBB10513CFDE0BBF83B7,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916620Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.886{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-service-core-l1-1-1.dllMD5=A86D518BCF3970C17A1768792FDF37FF,SHA256=AB5CC1B14D6BB708B5C87C2622DA886E2119A6997E08108CCE36080385DAEE71,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916619Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.886{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-service-core-l1-1-0.dllMD5=A329C75641638E2FFA11087F614FD4C1,SHA256=5071AA303D436407D195EF37889F018BE7E350DA5E690793587458D4C6D308DB,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916618Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.886{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-security-sddl-l1-1-0.dllMD5=C6C6C3E4D7CFA93246362901750A94D9,SHA256=6E274ABE823EF8B30629A99D9F942794C9FE6D003021A0C5085B49A7D8611DDE,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916617Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.886{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\API-MS-Win-security-provider-L1-1-0.dllMD5=207B5716605CA4850629F3E2FFFA07BB,SHA256=BE6E6284F69C76BE6366EA8D44D85BDBAB6A71DD42E8B5575CFDF671AD58DCA2,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916616Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.886{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\API-MS-Win-security-lsapolicy-l1-1-0.dllMD5=FE7AD7265E296947172B8C491E8109D2,SHA256=4D231AC65F0F54BFF45CACFFE7DF3109CF87F78D14960EC8F03654E605AC8ABF,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916615Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.886{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\API-MS-Win-Security-Lsalookup-L2-1-1.dllMD5=EBD6475839F5C99FB8855A80E0FC2AF1,SHA256=F519C7AA6930DAC83A3045CEEE42F64F26FFC54254D5ABD1B0F7D99C47569A30,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916614Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.886{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\API-MS-Win-Security-Lsalookup-L2-1-0.dllMD5=AC284A6251F5D26633AF48D918D09628,SHA256=F7A34B793AACF75DA4EAE843B6088C0BAAA8B835EA5F6A65E72EBD9A1479C8A8,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916613Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.886{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-security-cryptoapi-l1-1-0.dllMD5=DE0A49D4B2E9A5FA6762BD191C622B32,SHA256=AB12FEAF15CB313812B01AFE1198B62E72F7702D140830ABAD2CFB6251E82A7C,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916612Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.886{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-security-base-l1-1-0.dllMD5=DC4B661366FEAA4ED54FB1004D9E7A3D,SHA256=B4018F8F249CE087DB46F61A0C2E947248A5B71576F511F0B3650433607BC663,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916611Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.886{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\API-MS-Win-EventLog-Legacy-L1-1-0.dllMD5=B8B7B02C3C66638EC0BDF49BCF04A680,SHA256=5D1103E89199731DFFF7BF89D7F6484C038D47CC04F730CD5233EDE488272E6A,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916610Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.871{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\API-MS-Win-Eventing-Provider-L1-1-0.dllMD5=FEAA05CE6CCB92AA7B2A2C58C049891A,SHA256=31A4AE262E179DF4CA406E1AF90F651935657BB5FD990C675C67E37D5B834CFE,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916609Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.871{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\API-MS-Win-Eventing-Legacy-L1-1-0.dllMD5=88450242D5350529CC8E46FD9C3F3B7B,SHA256=312B6BFC89B551F2C4E8FEDAB316DBE01F190CD5E67091AAFB0E6F67616DC745,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916608Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.871{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\API-MS-Win-Eventing-Controller-L1-1-0.dllMD5=00A27A81EAAE90C9CED7063013877357,SHA256=DC4EE086FC046E1D7A291EA3B8B13E77B7A252B5C283B8F6C9CEC729070B7822,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916607Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.871{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-eventing-consumer-l1-1-0.dllMD5=61958A4BE8F944BAFB29DF8009541FCD,SHA256=3B7CB5622BEAC7D633A84EE2F7336C8DE1D3D1AA10577D98020081AB67761FAD,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916606Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.871{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\API-MS-Win-Eventing-ClassicProvider-L1-1-0.dllMD5=8500E093D6B36DF1AF271F6EB34227CA,SHA256=99E2CD36104D3EFD4DEC88AD0F4BED1FD1BBFA97CC4FB29DB7F7136290DD6B70,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916605Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.871{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\API-MS-Win-devices-config-L1-1-1.dllMD5=5A03B636125C21AB918D2CB04843DBA8,SHA256=C914CD6FE6C7B16533763BC789EDAF67D7A19C26514C927572051C4379C79FC0,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916604Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.871{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\API-MS-Win-devices-config-L1-1-0.dllMD5=0C61A8D9CF9BBF6D771BEF0FF4A43E23,SHA256=66807B95E13944D52E9A7AA1F1A41E632FAA46F6B48F98451618DB3845622577,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916603Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.871{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\API-MS-Win-core-xstate-l2-1-0.dllMD5=56A386E38B637FCD96CED04CEFBCF8DE,SHA256=A5BE1E3C71A3A5C8EEF4BFAD9D0BADC97BA47B2B9911CED4BD1B8F65BB8DCB77,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916602Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.871{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-xstate-l1-1-0.dllMD5=6A982D13DDB295E59F90FF23EDD2E60F,SHA256=3617DBCADFE370463B4DBB91C1C6222923F16EC362DE29C2CA3AE4E72C9ABB64,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916601Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.855{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-wow64-l1-1-0.dllMD5=AE7573E1DC370B9A8FEBCC17A6C82FF8,SHA256=59A473D1AD7C181C89AF00B966CD107F1846CDC526009C4807A1EAE3DCB3731D,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916600Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.855{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-version-l1-1-0.dllMD5=5CB34501C2D784D31281FD526B0BB963,SHA256=E45B73AF0C35F05B01CADF6BD4F67C1497586F4C4F9A16F0448BA751E16C4596,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916599Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.855{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-util-l1-1-0.dllMD5=212DA9E9AD6BB61A3554A4174BA558CF,SHA256=01291D3895EC5BB0E658F91FE1512AADCBB6D8F1154BC6023076554AFA05AC1D,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916598Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.855{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-url-l1-1-0.dllMD5=198A08F8150D7575CC207CFFCF67D66C,SHA256=86F6DA0F1D075B7E1678DF71689948FEC334CFB10316FEB40E5107135548F9B4,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916597Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.855{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-timezone-l1-1-0.dllMD5=4D7C132D9742FFA44248B1BBF32020FB,SHA256=58A65C1938DCDF64D2930B037E9D133A5ACDF46365835782869D3216D3CF2CED,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916596Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.855{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-threadpool-private-l1-1-0.dllMD5=A9BC53B62CD4B269B8385ADBE0AE808D,SHA256=A30003AB0C020E433CC5296E7E150BB11820395D439062FF7FD6D7F449C4C5B3,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916595Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.855{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-threadpool-legacy-l1-1-0.dllMD5=CAC86F4298EB2D239410B3338780DC34,SHA256=1D99842180A612D63F1A8B137A9BF0375B7113AAB325916BA4781AB8A7B68E7D,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916594Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.855{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-threadpool-l1-2-0.dllMD5=D32DDF80AB3F1F96F431E5672DC1F387,SHA256=E2F0F0D46082ED40D042BCCD47F4E917707CF884672C5919116126914FAD4572,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916593Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.855{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-sysinfo-l1-2-1.dllMD5=E83097DFE144367FA2231828F9FD89A6,SHA256=69FA978126192DBAB6AF11C9878D9C2BD1FD7E3FC899300244DFA4A1AC7ACA31,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916592Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.855{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-sysinfo-l1-2-0.dllMD5=8D842EBFFA7803451A3AC7D6907A6AD9,SHA256=808C22A733B5F6A4E601605DCF4043C9952CEBE825FF2622097FC5B4FACF682A,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916591Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.855{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-sysinfo-l1-1-0.dllMD5=376E34D4A8F94C94FFF063810717612D,SHA256=5285A11016967E2017A8187882579CBD722371D0B7497B356149FC447160A521,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916590Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.855{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-synch-l1-2-0.dllMD5=E19F4FA6A6313F00ADE8AF26649A0BA1,SHA256=386F6CC0C3CE0C904A44A2FDDD11B2E5EA7782B08E69FD961DA5BE3C32BA5C26,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916589Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.855{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-synch-l1-1-0.dllMD5=95088E453B41A8B50E7340E6DE9CD09C,SHA256=E4938C16CA5FC7A8C9D87E4201FA2F28992026F5858F36A2A44EA22B5BD0889F,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916588Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.841{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-stringloader-l1-1-1.dllMD5=FE1D00B19175DE6E9729F709C508DD6B,SHA256=D726F32AEB323F4DEA55D35441D1FF06BF3E212846A6B86D9ADC8F9DD1307B57,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916587Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.841{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-stringansi-l1-1-0.dllMD5=43F8D61E2EE0E253B973EFED0B3EBC8D,SHA256=1B9FA225A474D42FF8360141C8BC1EE1E7310958910931AC8E5A213E957700BD,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916586Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.841{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\API-MS-Win-core-string-obsolete-l1-1-0.dllMD5=92C0A4E592B5D773C562A36CBA4E6E47,SHA256=5191E82E921398310FE9FD333F5CA44E6233358499EDD5B33BF8E9F0C9D3B88E,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916585Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.841{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\API-MS-Win-core-string-l2-1-0.dllMD5=3E1902AF98905F00E62B1EC827EB0FC2,SHA256=503443DBF6E6E481EA1C661109CE17B3D55C4FEA001D77F11CD032BDDF64FD29,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916584Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.841{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-string-l1-1-0.dllMD5=D30D4587D051D288D1023DB0D826295A,SHA256=DFE66C8C205C95274565BADB7B3C19043917F6CD07A8DE34CE241EFFF9EA6676,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916583Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.841{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-shutdown-l1-1-0.dllMD5=1D8D1283F8279BDDACF8745AEDA3DB2A,SHA256=21BF3432160DD9851CAAC716DF3A41E39428A84BA9B9D3C63CDD300CB6928300,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916582Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.841{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-shlwapi-obsolete-l1-1-0.dllMD5=33BEFB60C3DC3E93FCE54A0515100181,SHA256=24B3FA4C5E8AB463BD2CFB704D7BFA7E8429726852EF582F94E44D7691BDD1FB,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916581Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.841{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-shlwapi-legacy-l1-1-0.dllMD5=699CDC66AA090D13EFF451F2006944CF,SHA256=6212B2B8CF5533F9DB6E366BBADED7A8D6EAD6667EA6A425B6987102669D8D96,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916580Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.841{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-rtlsupport-l1-1-0.dllMD5=F9672F68330CD16B0D1FA3A75B123AE8,SHA256=C5938839A3DFFBFBFEF432D0A95D0773375B4758FC160EDD04383A4B4273A18B,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916579Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.841{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-registry-l2-1-0.dllMD5=BBC015F33C0C3C2F9FC58C466BF8A30A,SHA256=1ED3511DC98353CA8E9B22A40C318BBD24484C25C171886B06B22AFD396ACFE8,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916578Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.841{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-registry-l1-1-0.dllMD5=D132FADCBF190A1C68070E6D488E67D7,SHA256=E6F51C07641EF931C4F97E5D966242BB96A156A603A7769BEAE0EA61E9E25486,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916577Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.841{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-realtime-l1-1-0.dllMD5=792C54B79CA333ABBB51BE66815A98CF,SHA256=1E3B3505560AB3E641C386473A83AA194D94CD5BC6CC4FA718D003D1FF899601,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916576Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.841{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-profile-l1-1-0.dllMD5=C4E53285E8C51DCBEFF5098215759D69,SHA256=320A6138FE915BE7E83F4CDC2024531948185C3BFC939CB367A53F1AA74BFB2C,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916575Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.841{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-processtopology-obsolete-l1-1-0.dllMD5=99E3ACC47F10000AE67A577F5893FD5A,SHA256=AD01524D3FDDC25C91292808E7B333B587C902E996E557885E79CC10F9A66214,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916574Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.841{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-processthreads-l1-1-2.dllMD5=DABFBC1EAB7AEE555F3BAEAF981EC7EB,SHA256=3070505B0B060D9EE9C2B699A518481A22DC15ECAF9603089FCF9EBC022179C3,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916573Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.824{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-processthreads-l1-1-1.dllMD5=8C5DF20B2E2DE6BA6717A597A951E4F7,SHA256=BE42C78E3F21CD6E74811F27E1B76C4FE8537FB149EF34EA455F22AAA29720ED,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916572Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.824{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-processthreads-l1-1-0.dllMD5=3D0CD1FE610E55E8C151162004A1429F,SHA256=D43535460D9CF2F2D348E9F2027DAF9FC0C0C906D5066E15F86332C839C94651,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916571Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.824{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-processenvironment-l1-2-0.dllMD5=BB20192D0B22AD2EBBF4960B66D2E164,SHA256=23E758C4F7646AACC2DE8B8930BB272115F726F27E5437DF606E1C2328FA48F4,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916570Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.824{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-processenvironment-l1-1-0.dllMD5=2CF62C9CF255C15AD1C8B1CCDD9453D6,SHA256=35CDE2048D4EC8D5D02B1CA57B81B8D5F579541EDBAF5DA4485A6323B8C3A805,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916569Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.824{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-privateprofile-l1-1-1.dllMD5=FA8EFF9B35BE58F70CD0014DAF108819,SHA256=835F086B0884E8E1689D661657F258FA1E71439672E9F0CC0140D614DAB6FA6F,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916568Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.824{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-privateprofile-l1-1-0.dllMD5=C8490BC5ACB353CAF140CB12670883A2,SHA256=85F3FE5E802843596F466D479111658B08271E48CC1821EB17E6D299D523C95E,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916567Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.824{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-namedpipe-l1-1-0.dllMD5=D8F1E545D80C2045881C7F0525558D80,SHA256=0D9C3D6A6DF364F812D370258C1B3D3F97584E9F7D36569D06746EBA1695D368,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916566Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.824{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-memory-l1-1-2.dllMD5=9F77AA276A31F36805DF003F9E66BD99,SHA256=26425008D97A2EA8B95AF52BFE47CF5DE1DE9BB3E25DF77123B85C895192D7D6,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916565Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.824{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-memory-l1-1-1.dllMD5=728A5655624D5B091E8E216BE90D9EF9,SHA256=A2B17F63065CC760FA9CF5D2950D0E13613997546C90CFA1C094CF32171D49ED,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916564Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.824{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-memory-l1-1-0.dllMD5=BA6B6729DC95AA60AF31A160E2CB4533,SHA256=AA433713D5D1DB4413E9F5D938C0C452BAE8EB1BF8CD011803464BBD893BBB08,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916563Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.824{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\API-MS-Win-core-localization-obsolete-l1-2-0.dllMD5=B5727AD79BEBAAB6E6AFA381A28A8E9C,SHA256=C0E101B6BCDDC28A9BA24C7796BBDAAEFC14459E402FD53053F3C23E0D84D040,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916562Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.824{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-localization-l1-2-1.dllMD5=FD9B6F1EA88B7167E6EC227A61B90888,SHA256=2FEF21096468EE5C6BFC88971AFDB4CC07F6C4669375561863B85023C15684AF,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916561Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.824{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-localization-l1-2-0.dllMD5=C8420A86D981BB6AA0D32001D234639E,SHA256=2E93EA8BB070C07C39B7F042B7D9843C4B74B3D4E69C8E33D89B0574B2D1D43D,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916560Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.808{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-libraryloader-l1-1-1.dllMD5=787DCDC02E39A27A63B857FF6E819593,SHA256=91A7DEC7B636C00032D122CA04D4B8653B13E1211C54A4184F3955D2398C2E2E,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916559Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.808{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-libraryloader-l1-1-0.dllMD5=AC90FCC4E819CD2EEED5D09A1FA42BAC,SHA256=2DA68FCBCE619BE5A90501F971467B7A894C6A705659346729E1E4E306EEB7D7,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916558Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.808{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\API-MS-Win-Core-Kernel32-Private-L1-1-1.dllMD5=E269D033D63A117DA8F3F855B90CCBFD,SHA256=41437C84BF757CC5758BF381600D0DECB00E8F8F56F11765203B7880AC4CDDD0,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916557Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.808{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\API-MS-Win-Core-Kernel32-Private-L1-1-0.dllMD5=58B0B7C61F098BD1E73E9C156CB38C64,SHA256=C366B92E7048081C7B336CEAB970BAA20AFDAEE2456820AA38360D1429C27669,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916556Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.808{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-kernel32-legacy-l1-1-1.dllMD5=912D93DCBE67A1373D93BACD0174E3ED,SHA256=0B94CB7472E0777AEFC1B3208ADDE41B893B78B3223F515FB86348D3362624C3,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916555Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.808{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-kernel32-legacy-l1-1-0.dllMD5=8E788763C9CDB6E5D1A313C08F7D621E,SHA256=5604FCC803BE14AD10C7A2372FB19BC80D43AD850109A670676982A4EC961473,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916554Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.808{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-io-l1-1-1.dllMD5=DC7E345A08B64DDD90906151E1D566E9,SHA256=ABDC082DAA40FCAF14E4E554DF23CFC48533F5A2157BD540BFEC49EB8E31E403,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916553Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.808{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-io-l1-1-0.dllMD5=A4381D04E233B96B657262DE9B31594C,SHA256=17BE2709D85E6B922BDF5D357FB4CD9416234F8E6685226F5EC776E8B3B5A678,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916552Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.808{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-interlocked-l1-1-0.dllMD5=39646EB20F4366691E3EFF958C99D1D4,SHA256=262D2C2EBAFFA4276F54B05A5A1DA125CC9DCCAF76EAAD3AAF7B23D54EC33C8E,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916551Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.808{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\API-MS-Win-Core-Heap-Obsolete-L1-1-0.dllMD5=0C5DE8F3B6CC9B44ED0A0556A02F4867,SHA256=D08261783A1749B08F7423923B00FD77E3B44265889B1F550A64239586BC8FC7,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916550Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.808{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-heap-l1-1-0.dllMD5=51EBE577149EABD170684C2668F967ED,SHA256=0091D6C33047D8EF6E0F09E049DF2CABA5EE6B4F5B1870E0A369D3BF6DB72330,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916549Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.808{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-handle-l1-1-0.dllMD5=F83CB23123F3E4885547ED29F2BD2360,SHA256=495A9EC7C50D6D72F209E1F69C9B0C292D8D32FBE79FE675128786F8E351B988,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916548Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.808{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\API-MS-Win-core-file-l2-1-1.dllMD5=8B79E85DB9AA6D00794E5151455951BB,SHA256=EE600140599138132439FA9FB9FA6B028A9BF2A206A856CCB1106EFF45459C13,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916547Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.808{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\API-MS-Win-core-file-l2-1-0.dllMD5=455C1AB890C154076E0E23A42F10B6F5,SHA256=DB95D8AA71A8E0A54852C1A83E42267C72E26F2A111AD41146096BF26825FF62,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916546Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.808{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-file-l1-2-1.dllMD5=A9808572063E5A5649EA59F8B40FC7A8,SHA256=D4FD5081924D4B544188A687BD37127E0A38AF310E77C55F6EC22896B95B3C9C,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916545Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.808{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-file-l1-2-0.dllMD5=4438E1D7952A77B7F71FF45EF821814F,SHA256=1C4FA5120E310E49C8112ACB6E594DB2F581AE4B6BA6241EEA4301E0E373959F,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916544Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.808{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-file-l1-1-0.dllMD5=FF5C179E19923B65E650B11283250D50,SHA256=CF84455BC2AADF2960F0AE4D3691BF3032F412578CB2730A27848C6B26D00225,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916543Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.792{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-fibers-l1-1-1.dllMD5=A263189D905386A2A91CD2EB39D3365D,SHA256=7392027920D102DBE4C2C15590CC471063D6B1456CAA797BB71F8973C60B47FC,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916542Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.792{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-fibers-l1-1-0.dllMD5=A1827E232474C845B7A495D1A4CA6169,SHA256=A95088251923F1233CA4F5675457D6D6B2A1601734D4B5451420298491864746,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916541Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.792{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-errorhandling-l1-1-1.dllMD5=E98BCC3FA25D6DB36D50786EF08DBADD,SHA256=7BDA00F42BE64BCC1022EC3000FE2582CDF4CC89083D868ACA9DCE982C98C52C,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916540Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.792{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-errorhandling-l1-1-0.dllMD5=14E8A42D84E459F617344438903680EE,SHA256=1FCB6E1908C13B5184373E83B3C13FCF96B55E4FBBC8AAF4D6E9DA604DB75848,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916539Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.792{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-delayload-l1-1-0.dllMD5=762D2E52FAFE433C50648FC23D7C3E76,SHA256=53238588E10FFAABA96C751D34181BA04A869A0474757E79D9FE82ABC3DC7CFE,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916538Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.792{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-debug-l1-1-1.dllMD5=1652E7B742F30832826B48E62485BFC7,SHA256=0362AFCDFB6CA89CDEE0DACEC94A5E45D6910B5337343149007DE2443050D154,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916537Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.792{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-debug-l1-1-0.dllMD5=E02F6786930435C736D71E9B6B898773,SHA256=4C0F43EAC3834878F16175B17427C0195A3213B7CDF9702447667D703AA29B54,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916536Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.792{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-datetime-l1-1-1.dllMD5=78876D83AA27E510EC3DC3355D034B92,SHA256=44A696C4626AF85EA565D651D7FAF5E21B6EB0C6EE47EE93419D8A7BAD565278,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916535Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.792{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-datetime-l1-1-0.dllMD5=CF9560A4450AC70C51866581802AE8CC,SHA256=A7A23DC37F028D38D2836CE881FCFF1FD066538588B207BBBCC3B1AB96E3AB62,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916534Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.792{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-console-l1-1-0.dllMD5=893E267BD0B91FADAC2A2BAE70FD0400,SHA256=17D17AC0383117E9A14D7687ECAA3B27AF1C71B89687A5C3E5B8761B2E64EDFC,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916533Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.792{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-comm-l1-1-0.dllMD5=C7EC73197892D7F63059C10D19BD5D90,SHA256=768E17ED08111FD22BAAC8FAC00C7DD87F0E57FEFCDAC58CE04B868528B2FDFC,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916532Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.792{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-core-com-l1-1-0.dllMD5=08A5A3129DCB52F3C4E51EE3C4A827E7,SHA256=3C6549832275052BCC2234CC4433D95407800ED65359F5147C4762EE0C71F712,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 23542300x800000000000000056916531Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.792{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\api-ms-win-base-util-l1-1-0.dllMD5=29CD6DDC6BADE9098B9A4402C6336D62,SHA256=B97C475AA8241C9B674E8C51C387AFAAA7977B036D9E2F7FAFB6CACC11D985BE,IMPHASH=00000000000000000000000000000000truefalse - insufficient disk space 534500x800000000000000056916530Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.777{B81B27B7-25C1-6193-1001-00000000CB01}5444C:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\DismHost.exe 23542300x800000000000000056916678Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:12.980{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B7E190E695652C6C3E29C00D89DDCBC,SHA256=52F3FECE78E32E6E1D5788BA053F14D3384362130B04FBB592DC2B358AA647A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:12.672{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D0FCB3B43B442136CE4C19807F74174,SHA256=D521125BFB2E7E7A55E6A2223226311FC9F493DCFF474FB3207A642C1B7DA84C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916677Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:12.777{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4A46B9ACB88587328E8C5D8F417C0AE,SHA256=79EFE7D854ACE0C1E520FC8982845E94027D2D7C0A200E5FF2A07E08B8D3D5F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916676Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:12.777{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4661CC9F3CB93C9D007D5CF984EE258A,SHA256=FCC1BFA7F35FB2AC51D7390A2CF5E97ADF651A67A9C1F7AD385EC76FCE3A4210,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916675Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:12.339{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF725BFE06D3784576F98EB0B6A153BE,SHA256=20A61E9A630456EBA12268B4E61B89DD2DE5991EF7B8B958DC7AC3E380B2428C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916674Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:12.339{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2049A8D99992A3DCC4C9F63AB745475F,SHA256=3CC0363490CE628C5C25BA1E6DD438E9BC76E99A3DC178A0A08F54772457E243,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916673Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:12.027{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\WimProvider.dllMD5=1B0C7DFB2240BA004B37904073624DB3,SHA256=F2C7DB522DDE968EDF49B03BC10978AAC4C42C745CA4A474627E8CEBBCEBB00A,IMPHASH=20D31D66F56B810094B1AA564C92009Dtruefalse - insufficient disk space 23542300x800000000000000056916672Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:12.027{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\VhdProvider.dllMD5=F37C8F5BF852151D9BF085687A8DEC6D,SHA256=6CDFC95C2F2ED3695D5EE8CF4367A6C7FB5707DA3C234CEE8FA8C1BBDE426DE7,IMPHASH=3CA997A1A0BD38B850B18DAED5E948DEtruefalse - insufficient disk space 23542300x800000000000000056916671Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:12.011{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\UnattendProvider.dllMD5=3DB4777B76FC1973A61754FAEC348981,SHA256=29A4C7379E5A0A7532C90B5ACE0DD99AB5311D03CC0BA6A4BCFB410D7D8B01AE,IMPHASH=4FA75E8720452554D61C8AC5FD64C43Ftruefalse - insufficient disk space 23542300x800000000000000056916670Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:12.011{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\TransmogProvider.dllMD5=5E82E2B7CFF045C7CDA8E33EAB186402,SHA256=0038B82E999C3DEF3980D39A8CAED9EA6B52A4FC9EF58BF3B3F5FC91F7748112,IMPHASH=7746C0E3C7D3763C5F13C90D4934087Btruefalse - insufficient disk space 23542300x800000000000000056916669Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:12.011{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\SmiProvider.dllMD5=C5C7A9E3121B91E51ECFBA6FB2985044,SHA256=FB519B9EEF4C3344D58C768BD3AD7ADCB0677EA7B998056B6A13620CB9E61412,IMPHASH=03C38376DA7CCE75E82EECACADA0EA03truefalse - insufficient disk space 23542300x800000000000000056916668Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.996{B81B27B7-25A9-6193-F500-00000000CB01}2848ATTACKRANGE\REED_SCHMIDTC:\Windows\system32\cleanmgr.exeC:\Users\REED_S~1\AppData\Local\Temp\C225BADE-BEAF-4BA4-963B-48C82AD1F05A\ProvProvider.dllMD5=5077063311C5708318C5FA3E255011ED,SHA256=97FA95102B6ACF00C70F140EE9FA4A73A6BE7C03E0F0D99AE58DB5E492CD0ECA,IMPHASH=D8DD764BFC0F1D9E403714D169018B83truefalse - insufficient disk space 10341000x8000000000000000109965147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:12.266{3BF36828-9797-6185-0B00-00000000CC01}6366552C:\Windows\system32\lsass.exe{3BF36828-9792-6185-0100-00000000CC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000109965156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:13.703{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDE08390C069BE74AD5CBB5A43536A75,SHA256=042729CB2AA38CF111348C7160E54F4120F9B8B9D5CEB14CAC97F36263FC5356,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056916683Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:13.121{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916682Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:13.121{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916681Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:13.121{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916680Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:13.121{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916679Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:13.121{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2344-6193-1600-00000000CB01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000109965155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:26.486{3BF36828-9792-6185-0100-00000000CC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local58665-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 354300x8000000000000000109965154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:26.486{3BF36828-9792-6185-0100-00000000CC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local58665-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 354300x8000000000000000109965153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:26.383{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-128.attackrange.local58664-false10.0.1.14win-dc-128.attackrange.local389ldap 354300x8000000000000000109965152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:26.383{3BF36828-9799-6185-1600-00000000CC01}1272C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58664-false10.0.1.14win-dc-128.attackrange.local389ldap 354300x8000000000000000109965151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:26.376{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local58663-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x8000000000000000109965150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:26.376{3BF36828-9799-6185-1600-00000000CC01}1272C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local58663-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 23542300x8000000000000000109965149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:13.157{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CC314632B986A6904ECAC9836979834,SHA256=0DCBEB4045100BE3E91D1DA7DD283FCEAA6279A87238F151680D6F930E1CA455,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:14.828{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2DE18C3C558FB0691298D976196E2D4,SHA256=6AC12C9A7CAA30AE86AF808A42714202B70C0ACC4619AF956631992EB1DD0895,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056916695Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:14.638{B81B27B7-2602-6193-1B01-00000000CB01}56606000C:\Windows\system32\conhost.exe{B81B27B7-2602-6193-1A01-00000000CB01}5608C:\Windows\system32\lpremove.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916694Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:14.589{B81B27B7-2343-6193-0500-00000000CB01}416536C:\Windows\system32\csrss.exe{B81B27B7-2602-6193-1B01-00000000CB01}5660C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056916693Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:14.589{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916692Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:14.589{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916691Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:14.589{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916690Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:14.589{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916689Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:14.589{B81B27B7-2343-6193-0500-00000000CB01}416780C:\Windows\system32\csrss.exe{B81B27B7-2602-6193-1A01-00000000CB01}5608C:\Windows\system32\lpremove.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056916688Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:14.589{B81B27B7-2344-6193-1600-00000000CB01}11044612C:\Windows\system32\svchost.exe{B81B27B7-2602-6193-1A01-00000000CB01}5608C:\Windows\system32\lpremove.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+2039|c:\windows\system32\UBPM.dll+2be0|c:\windows\system32\UBPM.dll+16d25|c:\windows\system32\UBPM.dll+4552|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916687Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:14.589{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2344-6193-1600-00000000CB01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916686Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:14.589{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2344-6193-1600-00000000CB01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056916685Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:14.136{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4A46B9ACB88587328E8C5D8F417C0AE,SHA256=79EFE7D854ACE0C1E520FC8982845E94027D2D7C0A200E5FF2A07E08B8D3D5F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916684Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:14.011{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB9F8F24F5149219EB10AE696A1D6BAC,SHA256=9342A3F6644CF25071518562D7217BA079592F2BC48F248946FE4EF3F6750ADC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:15.875{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7392D24B4992FCD1A3D79A496584AB41,SHA256=3744C8C29BD5061858DEEA235830A1008A7695A4D9C1F8CCBB5D05E1055DCB56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056916704Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:05.920{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local49970-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000056916703Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:15.699{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916702Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:15.699{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916701Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:15.699{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916700Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:15.699{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916699Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:15.699{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2344-6193-1600-00000000CB01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916698Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:15.699{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2344-6193-1600-00000000CB01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056916697Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:15.605{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21A5F2BEB6B65378BCDFCF721CD375CE,SHA256=26BF58F5C23B937277B9CE27860DADF3FEE6BF5350FF6E314CA2F75B2721441A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916696Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:15.058{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA2D0285CFADB3CF7EA4689B7BB4F13D,SHA256=3839F872D36046C662FCBD6FE083F293100E56275AF64B7F9CC6F9AD36BF9834,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:16.110{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4ECDB9925B8A1A16F2128198AEB13D3,SHA256=4C4B16A47A7BCE5CC4F236B15CEA1F8858B860CA0F911567A801C3FB9FB0C27D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916706Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:16.746{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92F427F79F5FD40C1983F3A7F94D82B6,SHA256=2B4404C863A65DFCE1BB6722662D1546C28EFE5DF29403FA680062336517DC66,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916705Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:16.121{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86CADC0E208012120BCEDAFAF6533278,SHA256=7B7876A6075621259B39AB4686044A8B843B7948D20C2D4E62A5C9C0C5CCA05E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:17.032{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3338BE46FAEB6E2566DD9B637670348F,SHA256=CEE01D1D2F27255378DC1E15543EF97277081C29D2D7A4D769B5C4ED35071F11,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109965160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:29.326{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58666-false10.0.1.12-8000- 23542300x800000000000000056916707Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:17.214{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA22828667070973952CECAA79D870B1,SHA256=749DCE0D4CCE970EBE89155E349BF721BA0DD12A0B4E96C6E1D2423C833BC1E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:18.047{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=864664C1BDF3D04D28F265EA68113987,SHA256=3692BCB20EB189D412BF90EFBD00A9B33F22D541EC0BB73709EB2CE0AC6F8D16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916708Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:18.230{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C9D8C35AAA7859528062B25D15B3178,SHA256=49A164647931602EF42D9E469CAEF3556C7F3F40C27CB5E6CBD79775512F38BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916709Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:19.261{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6828BAB598A2D974C41529619D79EF18,SHA256=A1C01E3B12856DDA1E6AF5D516F36813F09FDDF5FF09F52AD850B91E9282E351,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:19.078{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3A41C4F8FF16A04304F9FEA0FA227E5,SHA256=E0A36B1F5EBA5409E78CAC2408009E2AA9EED1B0E93CD8E29EA332F11019A0FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916710Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:20.277{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8187FCA536561229E3F06F769F8FF2D,SHA256=381BBD1ADA1DDD834C9BD0F5F7DC0B9B26581F6499FEED8775B0953004EC9485,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:20.078{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9960FF5206D89551A69747218E667D36,SHA256=3175B05D373A62F4C340E3AEDF992B8BBE88E2350D240CAE0790C636A17BBA04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:21.110{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F915F6D947FAC7A11594B1F61095B197,SHA256=507D6BB87D0F5F908A5CC3C77C6656787353C171F0F434689D411E806603247A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056916712Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:11.920{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local49971-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000056916711Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:21.308{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD4070762983BC810A62100F50F15E3E,SHA256=36C7CB5DF522D329372587F2544879FFF1546860018A8C87FC7777ED1D93B1B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:22.141{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F748AAAAB3857077747CD63C09E855A6,SHA256=0BDD4548D4668E22A21FE1C491C3BC1FBD741F77B710336E7BEC856735BA6E80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:22.141{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD13C22EBE280850DF897C954A723778,SHA256=BCE938995D2B502F02B9BFC3B82C8D6204BA0D28DFAC9141DF0836551E3C4484,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:22.125{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3B6E79BBF0B084DF60F3A140E506168,SHA256=2B3DD1AD0D6928205246949F79B4A7AFCC5F4DF1EDC9B0779800CD6EEDC49939,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916713Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:22.339{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF6B1F6E46C85A401B6A8D690710479C,SHA256=69856E9CC92FA1F4B59AB2AEA3DFF1115EB0BDB88E702599664CE60C1FB1155C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916714Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:23.355{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=924951216388C31C8765E1FE8B0B9EDD,SHA256=1406DC85B983F38B2916BE58DF341FB84F76255EFFAC18C69F6D869A54143539,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:23.250{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BE15F17298995397FBF41F13234869F,SHA256=CFAEDB55E08AEC3C3E429588431EFA5FB7C1BF6F5D3C908F38651FE417061F20,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109965169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:35.342{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58667-false10.0.1.12-8000- 23542300x800000000000000056916715Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:24.371{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32954B9453341E1C6EC2070768B72920,SHA256=2A06174A3D5261C6A041E264AB4A01BB8D8330DC1F996E09CEC998F9D215993C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:24.250{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0765DBAC0273EF87532272864D38CC1,SHA256=0B45118F5B9E8DB7520A0548375C42EADB5B2BAB7CCE91425AE7730D69663F4A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:24.172{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F748AAAAB3857077747CD63C09E855A6,SHA256=0BDD4548D4668E22A21FE1C491C3BC1FBD741F77B710336E7BEC856735BA6E80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:25.266{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D12B8DF2BD46D94BEA46646B89D7BD92,SHA256=1EB92F0AED8F3FAC8D63C7581F8C907F580DD9042A92364BCC15F2F147F45A97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916716Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:25.386{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AABDC9479488B3D72183460C9B33B010,SHA256=F1383150DD0A41643A0F38EDD07EF0339A3DA17F0DEFDE7C5E97A4AA05556E98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916717Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:26.418{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=267B1A808956EDCC5DFCF427A41681BD,SHA256=A9F9BDCC813E4C7D66117C466644AC23CB4A519F5D72C37E2E532943AA9D83A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:26.344{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BE9C3B3317C2B50628F2599F98704D9,SHA256=EA8A39164E450BB4EBB5B7C73F3E86C956CF79222D19C8C39B1A104E8C20C961,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916719Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:27.433{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3212A3F2F61A2412F95A8D901D5DC18A,SHA256=5BC13333E274539E51CC743943D04F41F1573F0735F0CF991EFBB6593AF52A72,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:27.391{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=951E1F27DADDA7EC14AD2D20E14FE519,SHA256=58F9D182060A770FAF1E15E8CE102383B35C7F93C19109DD4F95236214097928,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056916718Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:16.983{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local49972-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000109965175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:27.157{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E88DAC79285B6027835E712C26AC662,SHA256=3654E974587E0D540489791F10B5600CD907E51DBC21867256041BA8B0390822,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916721Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:28.437{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFC62D9E751788BF48D2A6DF4F14F623,SHA256=6FEB6BE782C5BB225A4BA2C772EDA2D2BBD7CAB9B1DBC2FDF3B9E7E416F1EF41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:28.535{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA2DDBF214727301B62DC2F01FB99685,SHA256=3347FC4CE3FE6660E2192DD586588DF3398E86187A2F6D4E4BEBF6F31D3D556E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916720Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:28.168{B81B27B7-2345-6193-2800-00000000CB01}2264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109965177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:40.373{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58668-false10.0.1.12-8000- 23542300x8000000000000000109965180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:29.582{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C56A351844A9612B608DBBB8AB457FC,SHA256=8E51744CDAF67DC9854ABE792A541ED602FA44F773B88C296ECD95EF383E94EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:29.550{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FEF44FBE8D72BCDC6508E62B7D80820,SHA256=BFDDC4ADAEA586C0975B5E5FE08B469F3FC987E52352A491EABB10B6449A2BFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056916723Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:19.967{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local49973-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000056916722Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:29.437{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEB5DBA037B9DE0EBBDF6677BF5C0673,SHA256=38DAFA95AAA9ABD2C8C7FFEDBD41CD482F77C660B5F4D7E499B514149F314D6B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:30.566{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C0AF3CE56DEA8CF7C7B02C76BE663B9,SHA256=F78EE6F3FEE08F41ED7B83018B00C036BA2ECFB5449B7971E182D453061D5632,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916724Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:30.453{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B60DE6C9D89F8ED2F8E90B8BE4186F57,SHA256=92733A6A1BC9DC3C580BE06D97C4994E792495E6E0ABE47E9C6B5DA557FAACBF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916725Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:31.468{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6350EF0747BBCC47498E63E5EFEE0A41,SHA256=FC4B988465FF3EFB6517E7688D73086A5E3F600E7068920ECBB257EF804BDF31,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:31.566{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D3CA0C7A5B2C50FE21A3FAE20DAA995,SHA256=5211DAE213521851E386AADE0B8B4A05F88DDCDBFB2417F0AB3F15C89AC1CDA6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916726Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:32.500{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8821A6DC4E80F7BFCE2F8BA4C5F09D4,SHA256=71323267416FDA27ECAA52D0DEC984CA7AAA38A2F3F9642C6F0474BC2C36993B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:32.597{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29D9E8D8776B35157F24FBF4CAB08D3C,SHA256=B4E869BCE4448EF66FF73529FF8646A26CE1E2244BF2FBD29C417CCAAB93CB44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:33.597{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDED9B742CC8DE88B4AA3152334A9E6F,SHA256=12EE79F07B8C462B9CEAA191C95B6F1FD7352553CEBF41CE64C2D61C615720D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916728Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:33.531{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F11694A557AEE99AE3A07B1D0AB4DAF6,SHA256=D85F23CCA5C8E3D62FD15032FC6F9FC96278AC9B83567829CDCA9F11EAADCBA4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056916727Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:23.002{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local49974-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000109965184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:33.113{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D075F4BC9BB90C3369810E58C7203E3F,SHA256=FDADC25BDA33599B4AB31E340202C6C34DB3D38B1DB83EED73B5D18C4CF6AB11,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:34.597{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F68FC46E315C1F46643FAF0A0D65EEA,SHA256=DE697744D097FBBAD39404F76011745BF018E315D0C86C39605EC802A5EDE809,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916729Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:34.547{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=491D862060D5BC67D8F9F2128F0918BD,SHA256=AB09594C571F49BCD4475537051F5104970C548B9C159D2932938FFD6BD64E2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109965186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.329{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58669-false10.0.1.12-8000- 23542300x8000000000000000109965188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:35.722{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36825328A9AD4F37C7BBB58964F6CA1D,SHA256=3D79AA0713AAB30C639A7F615D89229B85C601BE1FA24D77DD9E41395772ECD1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916730Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:35.562{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68A7DA57F8B92EDB9DED206BFF2F6EAA,SHA256=E95E6D8BA6DFF6B0567FBFACF78683DD5D0C9308001BA7188239CAEFE6250DE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:36.722{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=232A288B3F2B84291E0191A08E4C0D16,SHA256=4561EC0AB1D9EFDF791558A96950370AB3F6D30CD71FF8006CEB16EE5BB607F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916731Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:36.609{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8994AA2556D1910984F21CB8AF42F9C,SHA256=42D86C84B8A4662820D07F5A88B5F3B179C4D91574590A106302C65B11C7367C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916732Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:37.625{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F61ABBA5BDF879E0604F4796209EB23,SHA256=A0DDE98E28A86A3059D7EC14800B883575A3A9DBEFEFED8293B7D559156E67C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000109965193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:37.925{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-9799-6185-1500-00000000CC01}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:37.925{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-9799-6185-1500-00000000CC01}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:37.925{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-9799-6185-1500-00000000CC01}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000109965190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:37.753{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7B9445C4BD073E47FEC5C6F4923926D,SHA256=9C7DE0F538090D7162F11EB5A7E047B4BC96F9EEFEE7B083C46FE2F0C5454291,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:38.832{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E81E91C92EBE46CCAC9C57C9517FDEE0,SHA256=AD336DDB9DCA8218CAEF378FCE0100A3296CC98F535DC91623E8343DEF16FFA7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916733Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:38.640{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D36D52B8A3EC5EE7BBD83A5A802414A3,SHA256=BB345AAFE4EECA02F5E78CF77F02AED300C8CA0F81E7B2634A5E5ED52D9ECBCF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109965196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:51.376{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58670-false10.0.1.12-8000- 23542300x8000000000000000109965195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:38.160{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7131BE0AC9189AAF476F8C6350435A0F,SHA256=B9620FA86966FC414697492E04852682FAC5C4EDB5A78BF64271F269E9EAAB32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:38.160{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77B8D87A2CADE68434C87219225AA787,SHA256=7A0E0EA99A9FB1D5408711ED1580E27D61F1D15E7F7F6982A86D5B9E58C25FEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:39.847{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C05B4B8E89972E02A100A565879B0D3D,SHA256=C3656E6F2C85BEC917AC55756801795BEA34E57D38DCFB251D1FD38C42AF44C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916735Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:39.656{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8861B79D51ECC95A375B550F9192B509,SHA256=43331B0E94579B152330A050E3AE69892436B2B07FEF0E5FC8C560D6C65AB77B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056916734Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:28.924{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local49975-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000056916737Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:40.984{B81B27B7-2344-6193-1400-00000000CB01}716NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D81F3FEC1363061AAB86A7298B5F76A5,SHA256=216B37F93DC8AD6BB91B4682BF1A399D0954DF62500FD83FEEFD90BE5E20D3A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916736Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:40.672{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEBAB7BD41986B7204EB4E928FDC22C9,SHA256=8008610F0315F36CF0FD610CF5E4C57ECD2AFFFECA102CD2B36D8638944EA932,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916738Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:41.719{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDBCCAE040C5CAF951AC5C356129A165,SHA256=C809EA83B1AC7686CB6A6E642845F6E3F2D85D171EC5FF159EE2FD8D28D493D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:41.082{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=742513C7B385C6301947B4F876DF251B,SHA256=58297946E2B1CD069703496E99DDC5C5260A45DE6039EEF05745C4195219AFE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000056916740Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-16 03:31:42.937{B81B27B7-2344-6193-1300-00000000CB01}720C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7da9a-0x798646dd) 23542300x800000000000000056916739Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:42.750{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B555619F056DBF897CBC753B139481B1,SHA256=F7C53B22DD3197566A2C2AF0A0AD32320583CAED09F7FAAA007FD3A923951B10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:42.222{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89CD12856F86855F831320AEB896CC8F,SHA256=DBC14C8B64265C998320B3C285E0D3DD68BABB966DEB6ED7D8C67DAB5319CD49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916742Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:43.781{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFA8D94756A8A09BA5F44E95117D20A8,SHA256=943B737E2CC43E992260D16EC6ABC3E3310186810B83F63CF041591D1031A842,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:43.285{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC9155F5D0D19107F9513B37358527D6,SHA256=7C0A4998C29CD42E02704161365764401C5DED9DC4F4937E256C28959D589320,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056916741Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:33.924{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local49976-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000109965202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:43.253{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C7011CACD9D83AF7AFD183DB8FE5715,SHA256=1C5AA3961D7E03AE0D4D106CDB89F821DB25EAA06FD8675EA6EE484E9CC237AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:43.253{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7131BE0AC9189AAF476F8C6350435A0F,SHA256=B9620FA86966FC414697492E04852682FAC5C4EDB5A78BF64271F269E9EAAB32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916743Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:44.797{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E26FF91E95B8B71DFA3848AA321C20BF,SHA256=73E0480BFE9BBDB5F1BD8CD8297E487EA954B0434AAB596D7E74068DE15313D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109965206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:56.439{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58671-false10.0.1.12-8000- 23542300x8000000000000000109965205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:44.425{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C7011CACD9D83AF7AFD183DB8FE5715,SHA256=1C5AA3961D7E03AE0D4D106CDB89F821DB25EAA06FD8675EA6EE484E9CC237AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:44.300{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D502159C26A51D7B258EEF3EB09957C,SHA256=F4771630B1482AB2998E8FD3016311FDC8C2893EE27CEC6CE6B4247106FD7284,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916744Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:45.813{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=480CBCD198AD24883FB08A13510D353B,SHA256=2BB1F22C6545C5888F25315A38801055FAE38185D538CE0EB20307CBE5BD3152,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:45.300{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C96C2EDE05AE6B5BF66843DE9F6C8C8B,SHA256=7E3BDDE6E197B5E6B09A7312958430E24FA9256DF65D6D6E2DD4757FF9EF83AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916745Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:46.828{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7AF982BF76F3A8CAB2BAB2B1539DB13,SHA256=4B9292319283298E0A7B477F8A0EB0EB29541A93390533D8629800E323430DAF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000109965259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.925{3BF36828-2622-6193-E798-01000000CC01}66086860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109965258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.925{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000109965257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.925{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000109965256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.769{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000109965255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.769{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000109965254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.769{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000109965253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.769{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000109965252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.769{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000109965251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.769{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000109965250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.769{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000109965249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.769{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000109965248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.769{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000109965247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.753{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000109965246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.753{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000109965245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.753{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000109965244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.753{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000109965243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.753{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000109965242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.753{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000109965241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.753{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000109965240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.753{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000109965239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.753{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000109965238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.753{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000109965237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.753{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000109965236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.753{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000109965235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.753{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000109965234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.753{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000109965233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.753{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000109965232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.753{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109965231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.753{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000109965230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.753{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109965229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.753{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109965228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.753{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000109965227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.753{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109965226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.753{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109965225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.753{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000109965224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.753{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109965223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.753{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109965222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.753{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109965221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.753{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000109965220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.753{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109965219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.753{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000109965218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.753{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000109965217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.753{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109965216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.753{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x8000000000000000109965215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.753{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.753{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.753{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.753{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.753{3BF36828-9797-6185-0500-00000000CC01}420436C:\Windows\system32\csrss.exe{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000109965210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.753{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000109965209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.739{3BF36828-2622-6193-E798-01000000CC01}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000109965208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:46.347{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EC6504CDB5CE45223CB7ACE096F5E23,SHA256=AACA04D164583534E3864E54295746950F095292AD30F8DF08A1B834AB80A66A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916746Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:47.859{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE08A6CA119F95CCD5FE84B7E21EB2F8,SHA256=E3A895178280AF8F54B4ADD8A5299AF60D7411928A8553912073900967CD4DFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.832{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DFABE0EC55CB51CF4A38280A387E0DB,SHA256=2D43A1B55DFD462FCA6184BFFD7CD55770D95CB77C4121A2B0128CB728961414,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109965311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.597{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000109965310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.597{3BF36828-2623-6193-E898-01000000CC01}10885468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109965309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.597{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000109965308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.597{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000109965307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.472{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92852A054175D6C26D3F1BECBF66314D,SHA256=24BE262D4C89F97EB252F82740F5108EDBC0C7ECD1992ED97B2B2CF9127AE3DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109965306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.472{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000109965305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.472{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000109965304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.472{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000109965303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.457{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000109965302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.457{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000109965301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.457{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000109965300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.457{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000109965299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.457{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000109965298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.457{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000109965297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.457{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109965296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.457{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000109965295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.457{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109965294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.457{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109965293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.457{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000109965292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.457{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000109965291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.457{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109965290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.457{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109965289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.457{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000109965288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.457{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000109965287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.457{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109965286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.457{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000109965285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.457{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000109965284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.457{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000109965283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.457{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000109965282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.457{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000109965281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.457{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000109965280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.457{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000109965279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.457{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109965278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.457{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109965277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.457{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000109965276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.457{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000109965275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.457{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000109965274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.457{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000109965273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.457{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000109965272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.457{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000109965271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.457{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109965270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.457{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000109965269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.457{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000109965268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.457{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109965267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.457{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000109965266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.457{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.457{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.457{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.457{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.457{3BF36828-9797-6185-0500-00000000CC01}420436C:\Windows\system32\csrss.exe{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000109965261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.457{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000109965260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:47.442{3BF36828-2623-6193-E898-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056916748Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:48.864{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD1EE29564FB01876CD568B686F52C0C,SHA256=D50EC7949D9DDD8180219DA56DE1E16E60F3C24C64CC346614827EF3FA1BDA59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109965420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.946{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000109965419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.946{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000109965418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.946{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000109965417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.805{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000109965416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.805{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000109965415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.805{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000109965414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.805{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000109965413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.805{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000109965412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.805{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000109965411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.805{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000109965410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.805{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000109965409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.789{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000109965408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.789{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109965407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.789{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000109965406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.789{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109965405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.789{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109965404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.789{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000109965403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.789{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000109965402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.789{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109965401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.789{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109965400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.789{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000109965399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.789{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000109965398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.789{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000109965397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.789{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109965396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.789{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000109965395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.789{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000109965394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.789{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000109965393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.789{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000109965392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.789{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000109965391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.789{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000109965390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.789{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109965389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.789{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000109965388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.789{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000109965387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.789{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109965386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.789{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000109965385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.789{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000109965384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.789{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000109965383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.789{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000109965382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.789{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000109965381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.789{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109965380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.789{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000109965379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.789{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000109965378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.789{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109965377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.789{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x8000000000000000109965376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.789{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.789{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.789{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.789{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.789{3BF36828-9797-6185-0500-00000000CC01}420412C:\Windows\system32\csrss.exe{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000109965371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.789{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000109965370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.774{3BF36828-2624-6193-EA98-01000000CC01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000109965369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.492{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=189287DF4CF7368F2B59104F3337D11A,SHA256=CEBAA71AC9CA35B4119FA0F6550C7F8756E38FF45DD777A82E1D07D33DE244A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056916747Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:39.049{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local49977-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x8000000000000000109965368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.269{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000109965367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.269{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000109965366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.269{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000109965365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.144{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B89F1576079C90233D4392E26521AA0,SHA256=6BBC4FBD9EDECFD9C30161332AE27ED5218B021FD13ABA28D0E89424A705DE42,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109965364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.128{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000109965363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.128{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000109965362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.128{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000109965361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.128{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000109965360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.128{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000109965359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.128{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000109965358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.128{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000109965357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.128{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000109965356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.113{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000109965355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.113{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000109965354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.113{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109965353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.113{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000109965352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.113{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109965351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.113{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109965350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.113{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000109965349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.113{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000109965348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.113{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000109965347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.113{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000109965346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.113{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000109965345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.113{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000109965344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.113{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109965343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.113{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000109965342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.113{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000109965341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.113{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000109965340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.113{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109965339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.113{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109965338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.113{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000109965337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.113{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000109965336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.113{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109965335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.113{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000109965334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.113{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000109965333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.113{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000109965332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.113{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000109965331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.113{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000109965330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.113{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000109965329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.113{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000109965328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.113{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000109965327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.113{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000109965326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.113{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109965325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.113{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000109965324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.113{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109965323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.113{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000109965322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.113{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000109965321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.113{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109965320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.113{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x8000000000000000109965319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.113{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.113{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.113{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.113{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.113{3BF36828-9797-6185-0500-00000000CC01}420536C:\Windows\system32\csrss.exe{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000109965314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.113{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000109965313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:48.098{3BF36828-2624-6193-E998-01000000CC01}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056916749Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:49.879{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEF9C009872D2D448C1B7A77306D542F,SHA256=57ED23894B22D0A1EDA642CC40FDB7DBD878CA6FF1C45C8154C69E4CE23708B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.789{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=033B37B4CF3F620A4F7ECCCA418EC1E3,SHA256=846878FF6E30A6A9147E82BF6C25B9443D419DF18ABB7D03DE05EF39F02EA54A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.758{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE401C155EFEB90C076158A2DB78CE30,SHA256=F7DB9CC769B4CC54B847D807EED7341A07ADBF43E4791312FC613E121A7872BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109965479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:02.252{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58672-false10.0.1.12-8000- 734700x8000000000000000109965478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.617{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000109965477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.617{3BF36828-2625-6193-EB98-01000000CC01}70766764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109965476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.602{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000109965475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.602{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000109965474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.602{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.602{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.602{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.602{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.602{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109965469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.492{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000109965468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.492{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000109965467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.492{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000109965466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000109965465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000109965464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000109965463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000109965462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000109965461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000109965460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109965459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000109965458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109965457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109965456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000109965455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000109965454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109965453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000109965452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109965451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109965450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000109965449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000109965448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000109965447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000109965446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000109965445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000109965444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000109965443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000109965442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000109965441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109965440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109965439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000109965438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000109965437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000109965436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000109965435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000109965434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000109965433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109965432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000109965431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000109965430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109965429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x8000000000000000109965428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-9797-6185-0500-00000000CC01}420536C:\Windows\system32\csrss.exe{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000109965423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.477{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000109965422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.462{3BF36828-2625-6193-EB98-01000000CC01}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000109965421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:49.039{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B7B0F29749D814D42866230E8032A7A,SHA256=6E51691A86B804630BF37B4DB7A66C52101D23285B65EF4D63A22EBBA7BF9CBD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916750Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:50.895{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=904C2F02D0500BB8BD13F5187D513C6E,SHA256=3880383149255A6C21D6DACEE51334DBD0CC940A128266D2408AD37A2728D3E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109965586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.821{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000109965585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.821{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000109965584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.821{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000109965583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.696{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000109965582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.696{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000109965581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.696{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000109965580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.696{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000109965579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.696{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000109965578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.696{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000109965577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.696{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000109965576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.680{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000109965575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.680{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000109965574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.680{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000109965573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.680{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000109965572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.680{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109965571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.680{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000109965570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.680{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000109965569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.680{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x8000000000000000109965568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.680{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000109965567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.680{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109965566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.680{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000109965565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.680{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000109965564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.680{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000109965563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.680{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109965562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.680{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000109965561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.680{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109965560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.680{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000109965559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.680{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000109965558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.680{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000109965557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.680{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000109965556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.680{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000109965555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.680{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000109965554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.680{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109965553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.680{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000109965552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.680{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000109965551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.680{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109965550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.680{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109965549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.680{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109965548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.680{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000109965547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.680{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109965546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.680{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000109965545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.680{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000109965544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.680{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000109965543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.680{3BF36828-9799-6185-0C00-00000000CC01}8446904C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109965542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.680{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x8000000000000000109965541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.680{3BF36828-9799-6185-0C00-00000000CC01}8446904C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.680{3BF36828-9799-6185-0C00-00000000CC01}8446904C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.680{3BF36828-9799-6185-0C00-00000000CC01}8446904C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.680{3BF36828-9797-6185-0500-00000000CC01}420412C:\Windows\system32\csrss.exe{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000109965537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.680{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000109965536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.665{3BF36828-2626-6193-ED98-01000000CC01}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000109965535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.602{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=183F13FB7DB21952D3754DD375195AA2,SHA256=E2BECF04F1B66A6D3E1F0AD74C5213180E946D75E3C8C947789EEAED802D5A08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.446{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94405F16D441068EDCA9FD0729068845,SHA256=9FCC49840EA8AD5FCFFD10DD70DBAF55FB4F552ECDCFACE72286F25358EA85E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109965533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.321{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000109965532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.321{3BF36828-2626-6193-EC98-01000000CC01}63086268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109965531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.321{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000109965530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.305{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000109965529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.180{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000109965528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.180{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000109965527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.180{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000109965526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.180{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000109965525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.180{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000109965524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.180{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000109965523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.180{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000109965522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.180{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000109965521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.164{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000109965520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.164{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109965519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.164{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000109965518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.164{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109965517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.164{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109965516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.164{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000109965515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.164{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000109965514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.164{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109965513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.164{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109965512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.164{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000109965511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.164{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000109965510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.164{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109965509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.164{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000109965508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.164{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000109965507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.164{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000109965506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.164{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000109965505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.164{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000109965504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.164{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000109965503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.164{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000109965502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.164{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109965501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.164{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109965500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.164{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000109965499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.164{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000109965498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.164{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000109965497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.164{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000109965496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.164{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000109965495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.164{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000109965494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.164{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109965493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.164{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000109965492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.164{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000109965491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.164{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109965490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.164{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000109965489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.164{3BF36828-9799-6185-0C00-00000000CC01}8446904C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.164{3BF36828-9799-6185-0C00-00000000CC01}8446904C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.164{3BF36828-9799-6185-0C00-00000000CC01}8446904C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.164{3BF36828-9799-6185-0C00-00000000CC01}8446904C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.164{3BF36828-9797-6185-0500-00000000CC01}420436C:\Windows\system32\csrss.exe{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000109965484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.164{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000109965483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.149{3BF36828-2626-6193-EC98-01000000CC01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000109965482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:50.149{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84699F6CD75FC14F9D193696A4E96978,SHA256=98935B7DC79C2D3B73035B64D9EC94B9DCF9257B141CBB35DB6D5A53953C73C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916751Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:51.895{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AF8E99BE82392FE1A3409DE8E8479A4,SHA256=6BA6A980DB39C8170A93C62E0CFF9191A044FB6E7DA3ECB2B5FD52AC0F7609CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109965590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:03.368{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local58673-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000109965589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:03.367{3BF36828-97A9-6185-2800-00000000CC01}2876C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local58673-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x8000000000000000109965588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:51.649{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EEA19C62D7D6EB35DFA939000B20C09,SHA256=A373DA1077393CF0E7DF5BE21D6961E08BD19EEF700A71DE8365FB218842B0BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:51.149{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFD463F6DEC742EC34CD26AD86794A5F,SHA256=048AEF3B2AD9DF07BC311A3699C7151CF3805AD0775BF8E2F9BF296F10996F4C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916752Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:52.926{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FECC31738CFA15747525AA58B055C90,SHA256=FE5659B67A3F4A6310B96DB6AB20BC1331B76EB68A7CAA8C84BBE20B048896C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:52.649{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CCF0E256F28F44CA6B77BE450895EEE,SHA256=A60355AA528FE4D3D663A345B8EE9AA648E42612C0AC34047ECFD58B75307FE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916754Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:53.943{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3421B33B82656464FE179FDA270ECB6,SHA256=20746D77EE881E142EA1DDABB6176DF9464E5A8A7A8C92D9D57B345BFCBCAA10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:53.664{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C64668E9FB897F0305356D1714ACB5D7,SHA256=78435CA994591E7F124C5BB6AFDF6D21622D380FAB6FC835101076E513F4BF2C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056916753Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:44.069{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local49978-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000056916763Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:54.960{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=968D4029306FCC616F477A972290D2CB,SHA256=A063A0F49E93D2486610064632FC9DF4ADFC76641378BCBF1D60892F64F8D998,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:54.836{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71CC079FB11A72AAF7AB3A50EFBBEBD9,SHA256=B7077AE687C164841F6CC414902700F9029C8A616E7DF82016028CDB0C02924A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056916762Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:54.162{B81B27B7-2346-6193-3000-00000000CB01}32043224C:\Windows\system32\conhost.exe{B81B27B7-262A-6193-1D01-00000000CB01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916761Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:54.162{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916760Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:54.162{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916759Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:54.162{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916758Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:54.162{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916757Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:54.162{B81B27B7-2343-6193-0500-00000000CB01}416536C:\Windows\system32\csrss.exe{B81B27B7-262A-6193-1D01-00000000CB01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056916756Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:54.162{B81B27B7-2345-6193-2800-00000000CB01}22644024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-262A-6193-1D01-00000000CB01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056916755Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:54.163{B81B27B7-262A-6193-1D01-00000000CB01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-2343-6193-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000109965593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:54.149{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41FEA819D2B1FC901068FFC5860BE481,SHA256=30777FC3EBF09847CDB867E44904F009CE2D6F867E6500C339023F6512B2561A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:55.992{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D7B0F6BB0EFF2C288B1D1FC9375D82A,SHA256=6EF1B0D96BEBB4937935ABF798CDD6B731C2FBFFCFBD2A3ABA5CE40422C1D70C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056916783Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:55.979{B81B27B7-262B-6193-1F01-00000000CB01}60804848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056916782Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:55.963{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96AC723AE21DCA5A49B9BFDF48A816AB,SHA256=70F8C1F353BCB494B9685535FE222FE22EED5C44D4F58AFCA36B80A94F01A551,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056916781Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:55.823{B81B27B7-2346-6193-3000-00000000CB01}32043224C:\Windows\system32\conhost.exe{B81B27B7-262B-6193-1F01-00000000CB01}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916780Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:55.823{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916779Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:55.823{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916778Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:55.823{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916777Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:55.823{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916776Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:55.823{B81B27B7-2343-6193-0500-00000000CB01}416536C:\Windows\system32\csrss.exe{B81B27B7-262B-6193-1F01-00000000CB01}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056916775Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:55.823{B81B27B7-2345-6193-2800-00000000CB01}22644024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-262B-6193-1F01-00000000CB01}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056916774Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:55.823{B81B27B7-262B-6193-1F01-00000000CB01}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-2343-6193-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056916773Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:55.163{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6B28E858D22627FCCF86036888AA3CA,SHA256=18D747BBFA60FC1BA2D755DCA483DD5EB3381D74EFF2E9AA0DD546C81491B167,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916772Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:55.163{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70899CB9167AC9D15A2C7D121F46FBFD,SHA256=DD69F70883F955947046D9383DAAFD3F621BC2A2B013FE9E63A7CB093F8133C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056916771Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:55.148{B81B27B7-2346-6193-3000-00000000CB01}32043224C:\Windows\system32\conhost.exe{B81B27B7-262B-6193-1E01-00000000CB01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916770Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:55.148{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916769Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:55.148{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916768Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:55.148{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916767Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:55.148{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916766Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:55.148{B81B27B7-2343-6193-0500-00000000CB01}416780C:\Windows\system32\csrss.exe{B81B27B7-262B-6193-1E01-00000000CB01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056916765Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:55.148{B81B27B7-2345-6193-2800-00000000CB01}22644024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-262B-6193-1E01-00000000CB01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056916764Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:55.148{B81B27B7-262B-6193-1E01-00000000CB01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-2343-6193-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000109965597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:55.930{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01B74332C2CFDCE110132BDC90AABB81,SHA256=D152054A1C618DBA396A32A4A47EE1D8C578391B19B626F3C63878788B6C510F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109965596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:07.350{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58674-false10.0.1.12-8000- 23542300x8000000000000000109965595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:55.711{3BF36828-9799-6185-1100-00000000CC01}424NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=7BA78C9696647CEEAEF68894C12FF437,SHA256=E6B0D74F4EB9D0D669A20CA642CB590392833CB875F78EBC5F10378D5E154BD0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109965600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:08.962{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal49979-false10.0.1.14win-dc-128.attackrange.local49672- 354300x8000000000000000109965599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:08.959{3BF36828-9799-6185-0D00-00000000CC01}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-128.attackrange.local58675-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal135epmap 354300x800000000000000056916786Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:46.555{B81B27B7-2343-6193-0C00-00000000CB01}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local49979-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49672- 354300x800000000000000056916785Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:46.554{B81B27B7-2344-6193-0E00-00000000CB01}836C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal58675-false10.0.1.15win-host-987.attackrange.local135epmap 23542300x800000000000000056916784Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:56.338{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6B28E858D22627FCCF86036888AA3CA,SHA256=18D747BBFA60FC1BA2D755DCA483DD5EB3381D74EFF2E9AA0DD546C81491B167,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:57.008{3BF36828-989D-6185-BF00-00000000CC01}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:57.008{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8D315BD8583D42D1E163103AB5AA96E,SHA256=BA9D9C80FA210C63C67A08DF4AD7B2F62126EB34CF8218D33971BCC3D3C36855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056916796Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:57.776{B81B27B7-262D-6193-2001-00000000CB01}33645896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916795Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:57.526{B81B27B7-2346-6193-3000-00000000CB01}32043224C:\Windows\system32\conhost.exe{B81B27B7-262D-6193-2001-00000000CB01}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916794Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:57.526{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916793Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:57.526{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916792Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:57.526{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916791Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:57.526{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916790Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:57.526{B81B27B7-2343-6193-0500-00000000CB01}416432C:\Windows\system32\csrss.exe{B81B27B7-262D-6193-2001-00000000CB01}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056916789Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:57.526{B81B27B7-2345-6193-2800-00000000CB01}22644024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-262D-6193-2001-00000000CB01}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056916788Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:57.527{B81B27B7-262D-6193-2001-00000000CB01}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-2343-6193-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056916787Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:57.010{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=542E68AAC322D44309AD5B8114F53004,SHA256=FFF0073FCA760DF6177BB5F7FBC23ED87044C07C98EDD8BE86F78D2FB04D1665,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109965605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:11.226{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58676-false10.0.1.12-8089- 23542300x8000000000000000109965604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:58.149{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF9C36DAED1409C8E6A24C46B51FA0BF,SHA256=22F83D0E8337E14E4B3D1DA98489EF597534AC08C8D37116C291C20A046164F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056916807Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:58.557{B81B27B7-262E-6193-2101-00000000CB01}36925936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056916806Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:58.542{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8002BF41050D0B0118BB13B828FE4A2C,SHA256=D12384E4A5B86BFED7187AD812AB05CA2A025CC824F70865DCC4DD800D685842,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056916805Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:58.417{B81B27B7-2346-6193-3000-00000000CB01}32043224C:\Windows\system32\conhost.exe{B81B27B7-262E-6193-2101-00000000CB01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916804Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:58.417{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916803Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:58.417{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916802Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:58.417{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916801Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:58.417{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916800Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:58.417{B81B27B7-2343-6193-0500-00000000CB01}416780C:\Windows\system32\csrss.exe{B81B27B7-262E-6193-2101-00000000CB01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056916799Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:58.417{B81B27B7-2345-6193-2800-00000000CB01}22644024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-262E-6193-2101-00000000CB01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056916798Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:58.417{B81B27B7-262E-6193-2101-00000000CB01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-2343-6193-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056916797Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:58.026{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=337E832C2DAF706AFE33EB4B6FEFD66A,SHA256=FE9CE7B70321F21CF62568A071B4294C65A8652158B239D3D61F6D821482EAB4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:58.008{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9812ECC4F727329CAFB7F88DD6F16F80,SHA256=E32F62DF2260D07E44DB46DF8F475A38DA73E5A0371350C8FF1062532E38A2D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109965608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:12.350{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58677-false10.0.1.12-8000- 23542300x8000000000000000109965607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:59.164{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4984DC86C5F7AEBC6EEDAC93B109D85E,SHA256=11A5127BC7D9ADEDE7FD48083CE048707596B08F331BE1B409CA581DBB9D35C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056916819Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:49.887{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local49980-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000056916818Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:59.635{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04EE082248F7F0EA54995EB16341CC00,SHA256=0B797012913C3FF726675026010DE4B971537BEB2FB17B7D0E7145BA0523AE53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056916817Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:59.260{B81B27B7-262F-6193-2201-00000000CB01}53844188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916816Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:59.088{B81B27B7-2346-6193-3000-00000000CB01}32043224C:\Windows\system32\conhost.exe{B81B27B7-262F-6193-2201-00000000CB01}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916815Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:59.088{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916814Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:59.088{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916813Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:59.088{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916812Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:59.088{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916811Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:59.088{B81B27B7-2343-6193-0500-00000000CB01}416536C:\Windows\system32\csrss.exe{B81B27B7-262F-6193-2201-00000000CB01}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056916810Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:59.088{B81B27B7-2345-6193-2800-00000000CB01}22644024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-262F-6193-2201-00000000CB01}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056916809Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:59.089{B81B27B7-262F-6193-2201-00000000CB01}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-2343-6193-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056916808Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:59.057{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC7F4EDDC0C570EE95F3D82ED73A8611,SHA256=F0D5DFFAB44A188D8588F691F2F485DB9942368BAA70BE072368DD5D2DD551EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:31:59.133{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF1FC81B3F45C1B4E03FB968B2F7F128,SHA256=9E464642AF165B7C32DE24A49D994A22F4284478139E6D1D223C4C95052514A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056916828Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:00.557{B81B27B7-2346-6193-3000-00000000CB01}32043224C:\Windows\system32\conhost.exe{B81B27B7-2630-6193-2301-00000000CB01}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916827Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:00.557{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916826Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:00.557{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916825Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:00.557{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916824Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:00.557{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916823Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:00.557{B81B27B7-2343-6193-0500-00000000CB01}416780C:\Windows\system32\csrss.exe{B81B27B7-2630-6193-2301-00000000CB01}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056916822Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:00.557{B81B27B7-2345-6193-2800-00000000CB01}22644024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-2630-6193-2301-00000000CB01}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056916821Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:00.558{B81B27B7-2630-6193-2301-00000000CB01}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-2343-6193-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056916820Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:00.073{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4E254F59BB5C504C77EFA1569A08935,SHA256=2B84022BE2873B364C8B428ED2672B49BA7D9AE330AB938F644FBA3D2029CB77,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:00.164{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0CE79871AA6AE240645BDBCCACF7E99,SHA256=264E7CBE1D124DBF364D9F29EEB02000D2726C8FD0E84B907AA65918E497D8F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:01.164{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24B06B9FD7DBFA1020071F2F5D294837,SHA256=D279017F0C516E3CE223B3EF0BAE5A4746972707AD7E637D8DBF3319B8338EDE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916830Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:01.573{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69108B87898874C18365F93636F9BA5F,SHA256=0312CD7B2D0ECC242FE6B905A6FC393E158C846531C4A1699A3AE0A5457B32F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916829Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:01.120{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51D241DAC180A31EB3487CAF4E6A8DB5,SHA256=E78BEAF7183CEFACEF23D025AF970A0F2946DA3B22669C2808EA2E5397060785,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:02.164{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CB9A202165FC2FC5035631F168D0E52,SHA256=220EB8D3F96073EFD0A594551D5B519173A28D66D7A8E7D8D1847AA74083A797,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916831Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:02.151{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74304FF4FCBE1F4A87F84A66DC486DBB,SHA256=227563FDD1D06662A082DF18669A7CCDF328BEBC8634B70802FC9A87A00445E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:03.180{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=134D42268329F6B04BF3220C2142D41E,SHA256=4C5C6A9403366FBCE6B1B02AF64F235B51081694F5A5726BA63A708F2F2EEBDE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916832Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:03.167{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=502201286C37BC05BAF72784FA60C204,SHA256=A700CE6D0DF33D77F6050D8F9CEA294ED24D4E7AC0C9468460B55079C35ACCDF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109965616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:17.397{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58678-false10.0.1.12-8000- 23542300x8000000000000000109965615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:04.196{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75F79A3567445279B16200BE6CA768C2,SHA256=3641908A64C8DC17E9682C49CA4892578CF735F3F9BF4425F02C18C3E2351572,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:04.196{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1A70E3BC1AEAEA25BD05300FE2D9D58,SHA256=9CCE9F7B0FE15132B0274D26A3BB6C84D847CFA3D907439985AD0A38F5C0BD37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:04.180{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F73D6762AEBE8D3701680926ACA195A0,SHA256=CD26C7E9763F4F7334F64AF464DD5AAE5043B6132F1B4FB985731F4F26BCBBF6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916833Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:04.198{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A2E38D9CA3DE3E6032CCD81AB475BE8,SHA256=CFE906B046CA88530CAF53C841D316D6BF1A24BD630DC655F5DC7885A1F874CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:05.321{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65A3344F365C4C0BDA5F56A193DAD4E5,SHA256=2C24215BDC7806B597A4DAB3913307FC5BB6579D56542DACD10E7BD57526E04B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916835Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:05.229{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CE4C401DFD606EF5EAD0F8584E6555A,SHA256=A4D1BDEE29BF863B9FA866501B9838C47F97E47D61FCBE0180B54FD4E1257B7C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056916834Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:31:54.981{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local49981-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000109965618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:06.321{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADEA45B73732A96574108A0441D6E389,SHA256=C6C98762F059D97AB8E459C1794BED0119AF238EF5ED5A5C83E92BBE3F1FE834,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916836Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:06.245{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3383F6E2EF682E89326D0141F1239AAB,SHA256=7155CEA2359F49D640A3329C576CB57E0516E7A7BD1326F8815F31C742901035,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:07.430{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6556548519E2BC4F54A2B43AE6B5F3C0,SHA256=FA719D9851F31173215DCE217A5431ADDB738FD71BD6A7C75CB644FA066FE17E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916839Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:07.745{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BD6D3EA3457D906E5012730914A2511,SHA256=17A955213E365E3CABA0D100F6C23EC9D89731B8DDE9FDA3CB87A6F566A81F46,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916838Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:07.745{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0E5E5618BA10CDFFAE4B4F7D2894A62,SHA256=72C0276352A870B7D95991D7AB1C03F1462F23C847CF201ABA32D7BCFB567CFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916837Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:07.261{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FE88D8687933D1D417F9B554090D387,SHA256=4FA18D46C30E107AA4FD8B51C9F8A47CACE2504DA504E3F75B3038AF58F5C83E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:08.446{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75090D51287ED93A59DAE2CCBBB6028F,SHA256=1313D2D10ABD9660C1A8740302C89229667A58CF1ABF94F3515B30A290A40077,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916840Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:08.292{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AD9D250EFAF29ACE16AFA4C42584CA2,SHA256=81789F1355CDEA054BF1282AB012585A2CEEAA5D8A47F20FB43FD74F9ADEA9A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109965624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:22.460{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58679-false10.0.1.12-8000- 23542300x8000000000000000109965623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:09.513{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08A1C9DE41E46530D96DE7B16A08886F,SHA256=9A94DCB062FA2CA3A98F24B1BF6D7F43CBC2575D4B4598CF6CA6976CA391070A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916841Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:09.322{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D113608CF1DFE66925FF5BE2D72D2DEA,SHA256=746903676A4CEC7C37C675E5896249267CADC765A81C02ECDA5F3BC0C9382FD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:09.341{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC147E02E310D4E719F477C9D69B9F2E,SHA256=47F840F9EBD1D0C05994E5CA8F99AF4CAF83CCAD82DC2C9DE06F473EA08A06C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:09.341{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75F79A3567445279B16200BE6CA768C2,SHA256=3641908A64C8DC17E9682C49CA4892578CF735F3F9BF4425F02C18C3E2351572,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:10.698{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D750F22EBA00AD04F35FB8A7BF415C60,SHA256=E093DBED2890CB6D7281D95E20E2D4CAE8DE1C8E6AAD2864EFF8A49F36E054C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056916869Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:10.463{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2355-6193-8000-00000000CB01}4852C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916868Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:10.463{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2355-6193-8000-00000000CB01}4852C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916867Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:10.463{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2355-6193-8000-00000000CB01}4852C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916866Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:10.463{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2355-6193-8000-00000000CB01}4852C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916865Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:10.463{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2355-6193-8000-00000000CB01}4852C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916864Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:10.463{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2355-6193-8000-00000000CB01}4852C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916863Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:10.463{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2355-6193-8000-00000000CB01}4852C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916862Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:10.463{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2355-6193-8000-00000000CB01}4852C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916861Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:10.463{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2355-6193-8000-00000000CB01}4852C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916860Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:10.463{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2355-6193-8000-00000000CB01}4852C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916859Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:10.463{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2355-6193-8000-00000000CB01}4852C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916858Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:10.463{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2355-6193-8000-00000000CB01}4852C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916857Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:10.463{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2355-6193-8000-00000000CB01}4852C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916856Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:10.463{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2355-6193-8000-00000000CB01}4852C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916855Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:10.463{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2356-6193-8400-00000000CB01}3308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916854Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:10.463{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2356-6193-8400-00000000CB01}3308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916853Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:10.463{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2356-6193-8400-00000000CB01}3308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916852Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:10.463{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2356-6193-8200-00000000CB01}4176C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916851Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:10.463{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2356-6193-8200-00000000CB01}4176C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916850Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:10.463{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2356-6193-8200-00000000CB01}4176C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916849Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:10.463{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2356-6193-8200-00000000CB01}4176C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916848Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:10.463{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2356-6193-8200-00000000CB01}4176C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916847Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:10.463{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2356-6193-8200-00000000CB01}4176C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916846Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:10.463{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2356-6193-8200-00000000CB01}4176C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916845Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:10.463{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2356-6193-8200-00000000CB01}4176C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916844Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:10.463{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2356-6193-8200-00000000CB01}4176C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056916843Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:10.353{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F31AB408F896A60DCECB98DDF4AA8140,SHA256=B5244570581A86006D867D350E546F2031C083DF4E13D6334FBD230D06D72595,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056916842Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:00.059{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local49982-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000109965626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:11.811{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01A1A967F4E04D3B657CBE5D8906631C,SHA256=E163D688EFB09A3B07890F16FCC6F870E42AAB7E88A61B59A406BB7E904D43B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916870Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:11.385{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EAECAF538AB9046E2F431163482D855,SHA256=3724956AA2D6E355BBC6436F5534DE47B18CC932D867B1B821A25E0C29DAA606,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:12.827{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B409D713460301CD30942380E3A7C17,SHA256=E01FFAD25F4FFF259C28453705401F41A81FB7100E0AA523A0927DB8545471CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916871Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:12.400{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D9A689BA991E7979225A1FE88716C0D,SHA256=8F0547B91272559C67ABD4D1A6146809B902410037A21CD9A1A4D596D5406F4A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:13.889{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=173F79A1E051D5AF1BF174CD6085981B,SHA256=96748DEA4BAD8919A54E54BFC572B2E75C607AD2E4BD1DDBE540143D28AE3FD4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916872Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:13.431{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=971D4089C508B43EBE5A40CF80CE824A,SHA256=308DD308871CA0272CFBBFFFB7CB4E483A979AA454CE6C69901516A31349584E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916873Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:14.447{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=210FAB0678CC68BB4322663FCB036487,SHA256=34339FD6AB9C0AF0BDEA6698B58DC52D111A432E4D21536F2B2B3C72A1E9370F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:15.202{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0DB863153728FC48F8D20F2B00852E7,SHA256=705FB67DCAC93ED5F961344A1F202F143A21DA7AD0989D42DB49845D91EA98D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:15.202{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC147E02E310D4E719F477C9D69B9F2E,SHA256=47F840F9EBD1D0C05994E5CA8F99AF4CAF83CCAD82DC2C9DE06F473EA08A06C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:15.124{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24B975909199E62B98FDF13304D8BFAB,SHA256=E2CB430C7F56C95C9176680B4848714239BE741ACF71750BD0B1010A5B34A3E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916874Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:15.447{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5161F7A74C19FCA461EE80DA1CD721F,SHA256=8A0BE86736EC8C040490335ED38EC8809213FB53625630865EB0E31D1D5EFA26,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916881Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:16.478{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F669C26F48A75FBAC61463E749E74961,SHA256=D39034E6033FA2C5ED4954AFE962C81B540EB26C8BAD4990B14F8875B986B7F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:16.170{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B76C19DBCD3AE906FE405427E280EE5,SHA256=4860C98F20C47F18DC8D5A807B11564F411C5FC2FAE94A1938AE52CC05792283,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109965632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:28.263{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58680-false10.0.1.12-8000- 354300x800000000000000056916880Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:06.058{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local49983-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000056916879Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:16.135{B81B27B7-2640-6193-2401-00000000CB01}60081328C:\Windows\system32\wbem\wmiprvse.exe{B81B27B7-2344-6193-1600-00000000CB01}1104C:\Windows\system32\svchost.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\combase.dll+24fe2|C:\Windows\System32\combase.dll+25d0e|C:\Windows\System32\combase.dll+25b1f|C:\Windows\System32\combase.dll+58e58|C:\Windows\System32\combase.dll+58a70|C:\Windows\System32\combase.dll+65aa7|C:\Windows\System32\combase.dll+c2064|C:\Windows\System32\combase.dll+62ae1|C:\Windows\System32\combase.dll+642c0|C:\Windows\System32\combase.dll+217a|C:\Windows\System32\RPCRT4.dll+da374|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000056916878Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:16.026{B81B27B7-2344-6193-1600-00000000CB01}11042332C:\Windows\system32\svchost.exe{B81B27B7-2640-6193-2401-00000000CB01}6008C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wmiprvsd.dll+fa1f|C:\Windows\system32\wbem\wmiprvsd.dll+1351d|C:\Windows\system32\wbem\wmiprvsd.dll+127f4|C:\Windows\system32\wbem\wbemcore.dll+1016a|C:\Windows\system32\wbem\wbemcore.dll+2d15f|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916877Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:16.010{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2640-6193-2401-00000000CB01}6008C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916876Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:15.994{B81B27B7-2343-6193-0500-00000000CB01}416536C:\Windows\system32\csrss.exe{B81B27B7-2640-6193-2401-00000000CB01}6008C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056916875Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:15.994{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2640-6193-2401-00000000CB01}6008C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056916888Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:17.932{B81B27B7-2603-6193-1C01-00000000CB01}5348NT AUTHORITY\SYSTEMC:\Windows\system32\taskhostw.exeC:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\energy-report.htmlMD5=03EAA5B35A30BC3706A6079829A1ED86,SHA256=1B14ADB5772D54DEC58B2D8F66D9DADF3ED12D6AE39AB4A02BEA423490AB0221,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916887Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:17.932{B81B27B7-2603-6193-1C01-00000000CB01}5348NT AUTHORITY\SYSTEMC:\Windows\system32\taskhostw.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\IDR_XML_DEFAULT_TRANSFORM[1]MD5=15F2D97D4CC84928F7B1C451696E46CC,SHA256=681ED90C97CC621F8D31C36C594202838DA4C282F9FB850E53C28AA024ACCF15,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916886Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:17.932{B81B27B7-2603-6193-1C01-00000000CB01}5348NT AUTHORITY\SYSTEMC:\Windows\system32\taskhostw.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\IDR_XML_DEFAULT_TRANSFORM[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916885Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:17.541{B81B27B7-2603-6193-1C01-00000000CB01}5348NT AUTHORITY\SYSTEMC:\Windows\system32\taskhostw.exeC:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\energy-report-latest.xmlMD5=B1ABCB3B4EB3017391BFD8409FFE9F6E,SHA256=A5F89BBA15D703B765662F28BFD80DB1B2C7D8B0AB65602C86EB7167543BE43A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916884Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:17.510{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DE7BE22A14F512399D80365857D8C5C,SHA256=E1BD1D942A8825993BCB3C1E6CDBFB62386B9CBA439818EC64BEB2AE1C641E67,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:17.264{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6756512917C7FB1D91B1CB891F0D80DF,SHA256=2728B9D1B14AB48043C4463FEF925E5590A5CB7BF31BBA773717E19688E7E5BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916883Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:17.010{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5D724C625B24C5EEC08BFAEB8950903,SHA256=0B0DD0825FBC601ABDE09A43DFBCEC182E8E11AA0A22B07B3E86C21ADB2132DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916882Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:17.010{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BD6D3EA3457D906E5012730914A2511,SHA256=17A955213E365E3CABA0D100F6C23EC9D89731B8DDE9FDA3CB87A6F566A81F46,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916890Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:18.541{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AB1A21F2AEA801A89C9F55CE9A71C65,SHA256=2ADC251CAD4852AAC4637E519D59CE636E0337A2FAF7C33206D2A496ED35894E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:18.342{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37694E0B93B3474351418FC0D6CD3D2F,SHA256=F4EA41364FDD92311AF76030CC49723C0FF0F8E0C8C250FB16D75701D9656098,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916889Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:18.072{B81B27B7-2603-6193-1C01-00000000CB01}5348NT AUTHORITY\SYSTEMC:\Windows\system32\taskhostw.exeC:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\energy-trace.etlMD5=9CA78F5D797286E476A8727845077507,SHA256=8BD82861A4749873E2E60F941AC5119530C312F13F03D29967BA060F0795DB99,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916892Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:19.557{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4E4A4541147EDDE06E2553F60A10511,SHA256=F08EBFD1B0DCF295B46BC54CEA3387E3E7FF967736E8FBF8E2BB84993F838C4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:19.342{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE5A8C6FF3EF2A69BFF1978ACE3271A,SHA256=991C627E2067F3F4C30BAE7D15E9D6E19D3717A4A7F3EC5BA4CE3CA3284E209A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916891Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:19.104{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5D724C625B24C5EEC08BFAEB8950903,SHA256=0B0DD0825FBC601ABDE09A43DFBCEC182E8E11AA0A22B07B3E86C21ADB2132DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916893Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:20.572{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAC56B351885DE72DA33991662801943,SHA256=18A833C73442A0660229716EA7BBCDD3695C1B97558FB4624EDED8549FD01E27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:20.389{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C50975BF08CF22619D056F1C44743E74,SHA256=4AAD3B36A64F964B4F70CCA5DD7D765917DE0F415C87C625F8C9F9BE34F32111,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:20.155{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0DB863153728FC48F8D20F2B00852E7,SHA256=705FB67DCAC93ED5F961344A1F202F143A21DA7AD0989D42DB49845D91EA98D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916894Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:21.588{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=162D37E9283F6213CFE9A9F5EDB966BC,SHA256=02B0B3A813F192D20BB83B844621FD9E9CBA0BFD3E1BE8BAB281EF511E2CEA7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:21.389{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B27515BA52018873E5ECFFC40193338,SHA256=62770A159D2FE4F04467078462E5F388FB1F662CA50C828246A0A1593D8D2C9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109965639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:33.341{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58681-false10.0.1.12-8000- 23542300x8000000000000000109965641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:22.389{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2CB7E761DE6393E4939EB8D49D1C954,SHA256=0A9F68540A65D0E5B57BF9D51D416A80CB3B7AAC07997744B2147E8672AFEA89,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916896Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:22.619{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F46671F4BC218B99FF0A6AFE0D12569D,SHA256=B266ECDD94DEA9F6598353C7ED5618C1C123CC4FB7A232763C1CF82701DDC926,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056916895Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:11.995{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local49984-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000056916897Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:23.619{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FB221E54FE5AE024F9B90B7B61BC735,SHA256=CDF31BE507C633E3E3650FA5BDA57E07777BE05FE59A92F2C678BA8B730818D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:23.389{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EFA8FBD4278B535205D12B574A85391,SHA256=F877B413EF45A11DDF9AE91367AF99937E82F3235D7A41A9C91DBCBD7797E287,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916898Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:24.666{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AECB6AA13E290A0B078E3FC98874DD82,SHA256=08F1E571EB71C947D1DB044701B911FBBE76CAA18D36DE6B9BBCCD5300139C65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:24.483{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3638D0162954FE08E57562764D40340,SHA256=4B49E7D19B3B19A265CF9821F36E503E18E7B9FB1AD1CF176C0DD2471B313C3D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:24.389{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D9BFB09F217F90864AA03254CBF467D,SHA256=F6B016376FFBF94299C63024EE4D3527D76A29B00C3D29B9FAA0D2DFB4703C80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916899Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:25.682{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD8025F33EC5F7680FCFAB320288B18,SHA256=E0044F0A74351FEEF1C152FA118E842DF1F1AFD338964058F795382677B6F10D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:25.405{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FEE8F879FC879CC240932745D4A5100,SHA256=22EF36AE4B212A06B65BC97807DC4AF29F9823D3F833675DC1F0B7C73F72333E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:26.420{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A444ED70B5EBE296137DB8319B1CD650,SHA256=1BB94D09254E0F1C1FD3F5189E6B894AA0E8AF65EC092746E854315346EA1DBE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916901Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:26.697{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=047165D5611A5C957B8664EFC1228EDE,SHA256=1948119E5747B950777A6ED52F796DF536F2846C3BDFD77EB6D3F57002D75899,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056916900Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:17.010{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local49985-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000109965646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:26.124{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CB11B5037D5CCEB98A5C6EA33429747,SHA256=7B5FDA6585EE99991E61D6E27DFD7A02CE277A73325D637D45773586C417DBD0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916902Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:27.729{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0F831ACD2012994CFE9C0194991166A,SHA256=8E20843F5E89670229F76006F30D77127E53D1E637ADC2DA17B1BA340449608F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:27.639{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD8FDB420303FF8C896ACB6E9A7AC6A2,SHA256=013DCA4EF6D14E53B772FCA911894DCED1CCD51B82EC3407D8D82B8BFDB41544,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109965648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:39.279{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58682-false10.0.1.12-8000- 23542300x800000000000000056916904Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:28.758{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7BAB4095F007D834F64B3CD3EDB7C55,SHA256=9834F334BEB3DC79BA3CD22538833EB2A9204B4969629120FA71849ABA6FEA5D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:28.729{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=150231C8F5DFA0F58AE97C83448F7858,SHA256=2ADB38FD4825DB8F47B637287E8EF6E0AEECFF5A58928FD595A6A128A39D724C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916903Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:28.198{B81B27B7-2345-6193-2800-00000000CB01}2264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916906Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:29.789{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5CD51D87D68275C4DB7DA211DC5A0FE,SHA256=00D53D9A87C9D331DE93B9B98BCF7A5325100E4DB6C5A0E2CCE7116E633D75DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:29.963{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C780961063AD1B8DB183767D7FB5714C,SHA256=CB4EE84AE0A867DF0D393FD48797B5BF7D3F46AB161ADA5205D4219FCEA412C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056916905Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:19.995{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local49986-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000109965651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:29.542{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC8A59B70DE49364CC0B9BD274E883BF,SHA256=4F456F9C82122C39299A43D8A8BF5EC2E09A1AB3B71CE532DD8F2C59068DB084,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916907Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:30.805{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2BD045122070AE2A6AAE34EE50B3402,SHA256=84E8B6E2D52057116D8D384FAAF1D7BB3DBF758BFFABBBE31180A3F393F2528E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916908Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:31.836{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAF011D5CD163644671BD76DC619FCDE,SHA256=1668DF59D29E5E74841F6E3EE6DB9477A2C90FE505F9845F86CED48A17042981,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109965655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:44.369{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58683-false10.0.1.12-8000- 23542300x8000000000000000109965654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:31.229{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=748DF62896FD7D5FCDA1A1F8386DD264,SHA256=34D6F570C0C264D120E5BC95C1B0B6EE5ECCE7BDA103B4F5D502B7FA0F45CEB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:31.010{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E04676483D7CB763DE94401670FABA05,SHA256=845AEBD4FBEA725E616D7BF7CCE9803DBDB17C47905EC808AC7EF9654A8DF383,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916910Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:32.852{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DCA22062FAF13C89B32500D156AD461,SHA256=79BCC3AFEEBBC7D5159FF5A059BE406D83DB53E53E3FE800610A1B7E4FC0A103,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:32.042{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D3272E3895B3B8E326D7757424BF492,SHA256=7DA6CF822558853F0FB089ACBB3DAB0A1D88FB79C3C48CD4975371D911A574D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056916909Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:22.884{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local49987-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000056916911Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:33.852{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF8F1D09495BAB396D11B5DBE9E4DBF6,SHA256=C0167EF80C8866FA8DBEFEB2EF4F8DBBC7806BC30CBB09CAE9FA74DD21FCD041,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:33.058{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE88E865D099BE1E66E2A359171AD8D0,SHA256=BB20DDF0C24B323ADB50ECEFF5345DD550CC1419224ED69F15C1BD7D46E25D68,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916912Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:34.852{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0FE1B7FDF3BD2E78C42DEBA87B5A93A,SHA256=6D38B9780FE89B7A3FAD7042407529374BD533B1ED7D1155D677BBFE04A6070C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:34.073{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=157268C37459937AEC384223F076F4D8,SHA256=898C0265B049C3A8DE1805BCF478B170F8BE70B7B1E2335FC90515F5E125B914,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916913Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:35.930{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E46A10DEAC81E6D570372A42A519EEBA,SHA256=D95C7BFEBDF8434B22C0EA25C7A0E3E4A23248A4F6A3597794A98DCF1F9D21B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:35.182{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=937E1573896778E050B5E0CFE54964A2,SHA256=22D23AA16984ECC9C05D773053D2A7D31B6D14398BA47FCB10B796F0A3ADB142,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916914Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:36.934{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFA814573A6A11064A5D082ABC04CBB7,SHA256=5A1374C7607F104547A941B5FBB3DB2F35F0BD8258EF4D0570AFA0A85F71CF44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:36.182{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D54A034ED3F866ADF2069D93CF76781,SHA256=BE06E13D62A89FB837790066F069DEBEC574AB1D7385BB81983BCB5402E3F17A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916916Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:37.977{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=992B9B546C1731505AF445CEF7CB0865,SHA256=0FAE6C86EA58961BA37EC1F0304C2BF596AA9F70C28F58CAF7BC5F35AC02F2B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109965664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.259{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58684-false10.0.1.12-8000- 23542300x8000000000000000109965663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:37.307{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEE6F799BD27FDB39D4391FF81C016FE,SHA256=FD13B3CD597FE2E8AF5B5EFDCA61F8DF2BAC258E45587B4891E7A9C2C4432357,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056916915Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:27.931{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local49988-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000109965662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:37.104{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41CD1711BDED24AC509C94A03C72FBCE,SHA256=2763F91701E903E79FB2F2BCB68C8FEBF3265E55671CE8D9A8C26F48BD732367,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:37.104{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8FAE99A5945BE83E34FA241DD05EE19,SHA256=3571167184F5416CE1766ED5896973A278217C9B4EC8087147C8D1B0FF1D076F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:38.323{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0F94A9095DB6BA52CF1B32AF2F76AEA,SHA256=D13D5FCD6D2971E4398C0B4D808884EB5A095DC13B533195EC3641D756825D91,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:39.432{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B006CBF2F2E0B9F9845C5582FED1629,SHA256=5BBDAC355CB158402F4F4F557CFF7DAC37606180A44F20F6B46EC967C73931A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916917Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:39.024{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7BEF7C772A87DF0E38DD18E8B8FD876,SHA256=85B45455EC159D35177287A571FBCC181B24350EF144936F51ED98D99AAF7CE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:40.479{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94C68D617244D08B5E6D921B595F8059,SHA256=EC4C683A709FF96CD7589B32502F1DB1BFD2AA553941EA3AE271F308528F0795,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916920Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:40.993{B81B27B7-2344-6193-1400-00000000CB01}716NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CB1024D566C02AD7C914CDEC5421BBD1,SHA256=B45283595345655B7F96B5561B6063881A11CAEEFA2E054280ECAC516BF21EC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000056916919Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-16 03:32:40.602{B81B27B7-2344-6193-1300-00000000CB01}720C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7da9a-0x9be5364f) 23542300x800000000000000056916918Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:40.040{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F4571741C1BFE468AF99D9237E79197,SHA256=5907A6087A237B8DC565A2A90E9395852A13C0A12DBF6CC6FC47653DC53BE598,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:41.510{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=835586E3F5629C2D042BBB2C18F21268,SHA256=CE97DD3F86BB8C55F136705F255789047E529D655F30903B89592C409433E92C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916923Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:41.618{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=001E9FB21DC3CF20769B741441879725,SHA256=2049AAC27F0C337DEA5CFFCEB50A7843267CB856239F98A263A9092E8185E6EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916922Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:41.618{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=770FA66B15A67D1D764ED9D3A237E642,SHA256=06C6A761E98A1E34DD6E1A33E5A34BE14DDAF74C0C521A99BDBC5D5B99C9160A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916921Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:41.071{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=691325AE222111AA0024FFBB9BFF307C,SHA256=45B50480C0480B49CEBC4BD0A798100E825B2A01038384889209F6F12497E616,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:42.510{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D23812E321B59F7255622690CDEE5261,SHA256=FC59DE223D6F41F159B2009F6CC4ED24BF0CA67358D3C75B1720FBCAE0F2221D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916924Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:42.118{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71F26B1AB374A35636CCBF3070EC6433,SHA256=6AD315DC9EB1553944940AE97A2FA4A131840F3091CE50C7D6C88BAD49CF4A0D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:43.729{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87360A99FE90A79DE6EFEB418870734D,SHA256=B947178A473A78F35E8D88DDC41FF7F7019AF92BB061BB0F49F794F3C610DB4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916925Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:43.227{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CD82BE8E257E2DF7B33D766D7B1F2FF,SHA256=6BE921F3D89D64D1E583E3111991BC7734BC576C5980EE2DF1B92887952DF927,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:43.073{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06F2163A61932DB8324706D54A9B9F4E,SHA256=839D641576A418BF4A2B4AF2033C15FA33620EF512D3C04408C5F1D6A2BD0BB2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:43.073{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41CD1711BDED24AC509C94A03C72FBCE,SHA256=2763F91701E903E79FB2F2BCB68C8FEBF3265E55671CE8D9A8C26F48BD732367,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:44.745{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CBAABBC2BAEA9E581A12927D03F24CA,SHA256=BC6332AA17E03CB417E5A1CF44B5EFE90E817AF892C42031D7B40BC4A5747DE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916927Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:44.227{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB405E4A55EAD87473A49F387FCC4C2F,SHA256=D1A01E45539BC14C2960D053437DA9E97DE0BF560508B06973F99DF7843F96D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:44.479{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06F2163A61932DB8324706D54A9B9F4E,SHA256=839D641576A418BF4A2B4AF2033C15FA33620EF512D3C04408C5F1D6A2BD0BB2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109965673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:56.259{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58685-false10.0.1.12-8000- 354300x800000000000000056916926Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:33.930{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local49989-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000109965676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:45.745{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9223B43EBD9067164478E28C66C3D01,SHA256=986E8B35F6A3889EFC0759E855A313B7C6147B5355A6A9F8F53C556E8E546347,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916928Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:45.243{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=215A0A5944E49616887D2906E6D77E39,SHA256=DE273F3D7481044213D59BF79F070294AB0953910D394CE29B775BED7304DB34,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109965727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.901{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000109965726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.901{3BF36828-265E-6193-EE98-01000000CC01}53046536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109965725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.901{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000109965724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.901{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000056916929Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:46.384{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E03FFEBC135102EF7950E48027BD989,SHA256=CFE1363AE891DB644BD4C13609B841EC1B16656A6131AC517944BC083A462534,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109965723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.760{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000109965722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.760{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000109965721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.760{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000109965720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.760{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000109965719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.760{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000109965718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.745{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000109965717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.745{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000109965716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.745{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000109965715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.745{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000109965714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.745{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109965713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.745{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000109965712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.745{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109965711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.745{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109965710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.745{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000109965709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.745{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000109965708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.745{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000109965707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.745{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109965706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.745{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109965705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.745{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000109965704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.745{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000109965703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.745{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109965702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.745{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000109965701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.745{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000109965700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.745{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000109965699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.745{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000109965698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.745{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000109965697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.745{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000109965696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.745{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000109965695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.745{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109965694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.745{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109965693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.745{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000109965692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.745{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000109965691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.745{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000109965690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.745{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000109965689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.745{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000109965688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.745{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109965687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.745{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000109965686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.745{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000109965685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.745{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109965684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.745{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000109965683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.745{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.745{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.745{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.745{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.745{3BF36828-9797-6185-0500-00000000CC01}420536C:\Windows\system32\csrss.exe{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000109965678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.745{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000109965677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:46.730{3BF36828-265E-6193-EE98-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056916930Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:47.618{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22174AC56B7A5195E2F187DCE7A395ED,SHA256=1E3078EAD89264459EDD828EB0271F4EE87839661FE14518AA83210E18571900,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.760{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6C0479D54106B0A490C9F916AABBECF,SHA256=A5973E8ABE24BC5691172DAA05BEE2D986F5F4B1519D408746E547B0E916A8DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109965779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.573{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000109965778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.573{3BF36828-265F-6193-EF98-01000000CC01}18604416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109965777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.573{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000109965776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.573{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000109965775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.448{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000109965774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.448{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000109965773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.448{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000109965772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.448{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000109965771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.432{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000109965770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.432{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000109965769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.432{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000109965768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.432{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000109965767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.432{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000109965766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.432{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109965765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.432{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000109965764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.432{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109965763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.432{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109965762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.432{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000109965761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.432{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000109965760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.432{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109965759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.432{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109965758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.432{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000109965757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.432{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000109965756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.432{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109965755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.432{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000109965754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.432{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000109965753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.432{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000109965752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.432{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000109965751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.432{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000109965750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.432{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000109965749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.432{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000109965748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.432{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109965747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.432{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109965746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.432{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000109965745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.432{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000109965744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.432{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000109965743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.432{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000109965742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.432{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000109965741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.432{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000109965740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.432{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109965739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.432{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000109965738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.432{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000109965737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.432{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109965736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.432{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000109965735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.432{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.432{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.432{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.432{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.432{3BF36828-9797-6185-0500-00000000CC01}420536C:\Windows\system32\csrss.exe{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000109965730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.432{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000109965729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.417{3BF36828-265F-6193-EF98-01000000CC01}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000109965728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:47.167{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB84BF09AE249883373A0B567C532D61,SHA256=613450861A70393310BBDA785A9D3C41AC6A2E39FB58CD47132FC889922EC52F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916931Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:48.665{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63F65EB657D8127349F874923BB4E4B1,SHA256=B395D9DC7DF080B1F05F8543590AB77FA6C23DED1AEED440FE9D775BE37CC95A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109965884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.947{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000109965883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.947{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000109965882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.947{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000109965881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.822{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000109965880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.822{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000109965879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.822{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000109965878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.822{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000109965877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.806{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000109965876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.806{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000109965875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.806{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000109965874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.806{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000109965873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.806{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000109965872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.806{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109965871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.806{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000109965870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.806{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109965869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.806{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109965868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.806{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000109965867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.806{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000109965866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.806{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109965865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.806{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109965864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.806{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000109965863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.806{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000109965862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.806{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109965861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.806{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000109965860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.806{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000109965859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.806{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000109965858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.806{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000109965857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.806{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000109965856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.806{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000109965855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.806{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000109965854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.806{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000109965853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.806{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109965852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.806{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000109965851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.806{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109965850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.806{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000109965849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.806{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000109965848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.806{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000109965847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.806{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000109965846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.806{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000109965845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.806{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109965844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.806{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000109965843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.806{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000109965842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.806{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109965841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.806{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x8000000000000000109965840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.806{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.806{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.806{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.806{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.806{3BF36828-9797-6185-0500-00000000CC01}420436C:\Windows\system32\csrss.exe{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000109965835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.806{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000109965834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.791{3BF36828-2660-6193-F198-01000000CC01}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000109965833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:01.306{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58686-false10.0.1.12-8000- 10341000x8000000000000000109965832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.260{3BF36828-2660-6193-F098-01000000CC01}56766216C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109965831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.260{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000109965830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.260{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000109965829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.151{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9484CF832BB3DD8FB027C061167DE80,SHA256=734344EC6B327173E825A0D7670F1D7AEFA1C303B264B3111CC1996474CD714E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109965828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.135{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000109965827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.135{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000109965826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.135{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000109965825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.135{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000109965824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.135{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000109965823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.135{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000109965822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.135{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000109965821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.135{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000109965820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.135{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000109965819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.120{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000109965818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.120{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000109965817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.120{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000109965816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.120{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000109965815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.120{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000109965814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.120{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000109965813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.120{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000109965812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.120{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000109965811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.120{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000109965810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.120{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000109965809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.120{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000109965808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.120{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000109965807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.120{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000109965806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.120{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000109965805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.120{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000109965804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.120{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109965803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.120{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000109965802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.120{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109965801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.120{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109965800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.120{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000109965799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.120{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109965798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.120{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109965797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.120{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000109965796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.120{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109965795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.120{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109965794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.120{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109965793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.120{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000109965792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.120{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109965791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.120{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000109965790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.120{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000109965789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.120{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109965788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.120{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x8000000000000000109965787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.120{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.120{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.120{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.120{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.120{3BF36828-9797-6185-0500-00000000CC01}420436C:\Windows\system32\csrss.exe{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000109965782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.120{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000109965781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:48.105{3BF36828-2660-6193-F098-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056916933Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:49.681{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2364048BF67623C31DDB3F3CD164CDD,SHA256=0ECB81DA80840DB4A1E9A00F68FE40CF5C449066B01F7B98950605BE9BCBFE6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109965939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.509{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000109965938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.509{3BF36828-2661-6193-F298-01000000CC01}43605416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109965937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.494{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000109965936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.494{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000109965935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.353{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000109965934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.353{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000109965933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.353{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000109965932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.353{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000109965931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.353{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000109965930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.353{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000109965929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.353{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000109965928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.353{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000109965927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.338{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000109965926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.338{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109965925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.338{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000109965924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.338{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109965923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.338{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000109965922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.338{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109965921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.338{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000109965920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.338{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109965919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.338{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000109965918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.338{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109965917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.338{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109965916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.338{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000109965915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.338{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000109965914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.338{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000109965913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.338{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000109965912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.338{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000109965911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.338{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000109965910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.338{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000109965909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.338{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000109965908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.338{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000109965907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.338{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109965906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.338{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000109965905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.338{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109965904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.338{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000109965903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.338{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000109965902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.338{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000109965901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.338{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000109965900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.338{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000109965899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.338{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109965898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.338{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000109965897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.338{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000109965896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.338{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109965895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.338{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x8000000000000000109965894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.338{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.338{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.338{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.338{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.338{3BF36828-9797-6185-0500-00000000CC01}420412C:\Windows\system32\csrss.exe{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000109965889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.338{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000109965888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.325{3BF36828-2661-6193-F298-01000000CC01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000109965887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.322{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DE3AFFCC529BC72203F02F2E3A774A1,SHA256=88AC03FC3001738E1CAE404E823B0587FC731EF46E01719472A2D11A20E44BFE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.291{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53B03DD35EC297D2B74BF95C7C858118,SHA256=B92A956183C9DABAAD88404A73034DE09908A63F5D29F9BB4CA65FEB82373C89,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:49.291{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A52D35D60AE7B4FFA7DA4919585C6764,SHA256=DB4A9D73EC463F3F00E1BEFB1D572E306FDC138A441C5E4A1A7C836D4E05A97A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056916932Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:39.055{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local49990-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000056916934Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:50.712{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19D659D05734F84A7B400DCB2CD96391,SHA256=9548917ED0E015C77653AC314A903A7F96F69004BAFCD21E664A111909E88736,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109966050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.853{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000109966049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.853{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000109966048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.853{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000109966047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.728{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000109966046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.728{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000109966045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.728{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000109966044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.728{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000109966043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.728{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000109966042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.713{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000109966041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.713{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000109966040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.713{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000109966039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.713{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000109966038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.713{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000109966037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.713{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109966036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.713{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000109966035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.713{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000109966034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.713{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000109966033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.713{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x8000000000000000109966032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.713{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109966031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.713{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000109966030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.713{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000109966029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.713{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000109966028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.713{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000109966027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.713{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109966026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.713{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000109966025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.713{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109966024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.713{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000109966023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.713{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000109966022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.713{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000109966021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.713{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000109966020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.713{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000109966019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.713{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000109966018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.713{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109966017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.713{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000109966016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.713{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000109966015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.713{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109966014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.713{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109966013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.713{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109966012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.713{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000109966011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.713{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109966010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.713{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000109966009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.713{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000109966008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.713{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109966007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.713{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x8000000000000000109966006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.713{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.713{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.713{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.713{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.713{3BF36828-9797-6185-0500-00000000CC01}420412C:\Windows\system32\csrss.exe{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000109966001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.713{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000109966000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.698{3BF36828-2662-6193-F498-01000000CC01}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000109965999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:03.368{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local58687-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000109965998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:03.368{3BF36828-97A9-6185-2800-00000000CC01}2876C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local58687-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x8000000000000000109965997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.478{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8437A6ED4B050A0A262E6D61AF0563D,SHA256=645D7485AB1631D167680B2A0045A0757033765CC813B96D3583DFAF6B384E49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.447{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44FBCD2A87CD3BD3725569658AF2D7C3,SHA256=7867BEB600C3159276A841ED3F60AB685721E8FD4656437A0F0F2FF0B977F161,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109965995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.447{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5225A8854DB98408665666909816AFC,SHA256=5B32A6AC2A9E36E3BE96787E0FE0FF3F6D0A988863C512C83B2D7B7BDAF99D0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109965994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.166{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000109965993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.150{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000109965992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.150{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000109965991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.041{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000109965990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.041{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000109965989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.041{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000109965988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.041{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000109965987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000109965986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000109965985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000109965984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000109965983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000109965982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000109965981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109965980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000109965979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000109965978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109965977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000109965976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109965975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000109965974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000109965973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000109965972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000109965971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109965970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000109965969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000109965968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000109965967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109965966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109965965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109965964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000109965963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000109965962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000109965961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000109965960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000109965959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000109965958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000109965957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000109965956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000109965955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000109965954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000109965953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109965952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000109965951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109965950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000109965949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000109965948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109965947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x8000000000000000109965946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109965942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-9797-6185-0500-00000000CC01}420536C:\Windows\system32\csrss.exe{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000109965941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.025{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000109965940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:50.010{3BF36828-2662-6193-F398-01000000CC01}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056916935Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:51.744{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53C76FDDC39AFFA4748DA84EF887568F,SHA256=CFFE9F33BEF65214E638976811C1E556AA6234A1A51B322DCB13349E1A6ABDAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:51.619{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5EE6BBBBF07E7D2C0BE7E53592271A2,SHA256=1E0E9ED5E4D0E630E3E4B3257E36B2762BF5B4E4B2B94B90E889C9FEFCD3D287,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000109966081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:51.509{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-94A1-6192-9587-01000000CC01}5312C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:51.509{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-94A1-6192-9587-01000000CC01}5312C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:51.509{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-94A1-6192-9587-01000000CC01}5312C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:51.509{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-94A1-6192-9587-01000000CC01}5312C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:51.509{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-94A1-6192-9587-01000000CC01}5312C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:51.509{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-94A1-6192-9587-01000000CC01}5312C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:51.509{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-94A1-6192-9587-01000000CC01}5312C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:51.509{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-94A1-6192-9587-01000000CC01}5312C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:51.509{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-94A1-6192-9587-01000000CC01}5312C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:51.509{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-94A1-6192-9587-01000000CC01}5312C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:51.509{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-94A1-6192-9587-01000000CC01}5312C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:51.509{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-94A1-6192-9587-01000000CC01}5312C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:51.509{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-94A1-6192-9587-01000000CC01}5312C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:51.509{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-94A1-6192-9587-01000000CC01}5312C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:51.509{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-94A1-6192-9587-01000000CC01}5312C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:51.509{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-94A1-6192-9587-01000000CC01}5312C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:51.509{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:51.509{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:51.509{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:51.509{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:51.509{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:51.509{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:51.509{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:51.509{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:51.509{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:51.509{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:51.509{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:51.509{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:51.509{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-3100-00000000CC01}2196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:51.509{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-3100-00000000CC01}2196C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000109966051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:51.166{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD4188626A40CC0EEB5067EFDDE87667,SHA256=24E53E11F870E60DA120745E23BB0156CE001BDDF8E9EBCC477EA1D3069B1DC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:52.760{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58B716CE8A95F9F00B67358601438E12,SHA256=B397B0C8F3E506A8622B84E30A64205F2406DA28E15F33CDD93F563FDF425D23,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916940Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:52.759{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=975ECA9A1BB6E89FEE3EADC6A811BCDB,SHA256=594E43452BF3ADA7AA5F4C5BB095F0BCEFC858B769C4785B39782DE3708A66C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916939Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:52.212{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=58DB8008E99DE59AAECE5B5DB5DB4922,SHA256=7CDE41F8C69EB4E1FB752A784128FDAF9BFD61D100C16991472A0705A3FF2A79,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916938Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:52.212{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A5F17D89DB7A6E5CC8DCD12CEEE11757,SHA256=430E9AB193A3E5B0A6F8E76F1472E1449F6E78155B7C4D33F90677F12FD46384,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916937Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:52.150{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39B615852DB189ABD26FAE8B08A82FEA,SHA256=ED8EE6DC033B96009C26FE4706FB0E8860AEC0AC5E979D5F4D82C209ED5D2950,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916936Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:52.150{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=001E9FB21DC3CF20769B741441879725,SHA256=2049AAC27F0C337DEA5CFFCEB50A7843267CB856239F98A263A9092E8185E6EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:53.931{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4A9C838944D04137325C5EF285F5CBA,SHA256=5661C91AF23D974633205E12E208AF3D8C4B62E36B7D59A928465FFE6C983A54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916941Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:53.759{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A15AC6DB7B7922E2C05968B08C57487,SHA256=5D27EAC3AE6DB5B684417462601E16FDCAB825FF3FA424380D0F4B04C65037CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:53.166{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=081F2E1F0B974BC625437C0F286AE4DA,SHA256=C55F9DD471A10E9C5163E8130F509F8498BD500C4A90ABB56109CF5E84BF1BF6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:54.994{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0833EF3C38596911326EDD7542FAA8D,SHA256=F55C3CD56AE902C1AAD4BCC15187760587EEE716C27476CAF9880422CF262A81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916951Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:54.776{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F272F034BDCB755F8781880CB42D08B3,SHA256=B58A5C6765C443EB07CC6E8A511028D14492B74BD21ED533AAE4A9247C030139,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109966086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:06.384{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58688-false10.0.1.12-8000- 354300x800000000000000056916950Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:44.837{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local49991-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000056916949Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:54.181{B81B27B7-2346-6193-3000-00000000CB01}32043224C:\Windows\system32\conhost.exe{B81B27B7-2666-6193-2501-00000000CB01}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916948Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:54.181{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916947Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:54.181{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916946Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:54.181{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916945Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:54.181{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916944Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:54.181{B81B27B7-2343-6193-0500-00000000CB01}416432C:\Windows\system32\csrss.exe{B81B27B7-2666-6193-2501-00000000CB01}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056916943Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:54.181{B81B27B7-2345-6193-2800-00000000CB01}22644024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-2666-6193-2501-00000000CB01}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056916942Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:54.182{B81B27B7-2666-6193-2501-00000000CB01}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-2343-6193-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056916970Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:55.821{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C3C0CE96175EAF8D6223E99DAC0F43E,SHA256=66BA279FF0B082947D7B52CC1D5E5A0A11DCC3A9B5C84EEE467B02DBC860707E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:55.713{3BF36828-9799-6185-1100-00000000CC01}424NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D8DF5D632A335B3F8468232660FE44EC,SHA256=F3B18516A49DC62B7EC32E2B69A15F3B9C18E223C4895BD6FE77402D77E7B349,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056916969Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:55.790{B81B27B7-2346-6193-3000-00000000CB01}32043224C:\Windows\system32\conhost.exe{B81B27B7-2667-6193-2701-00000000CB01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916968Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:55.790{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916967Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:55.790{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916966Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:55.790{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916965Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:55.790{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916964Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:55.790{B81B27B7-2343-6193-0500-00000000CB01}416432C:\Windows\system32\csrss.exe{B81B27B7-2667-6193-2701-00000000CB01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056916963Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:55.790{B81B27B7-2345-6193-2800-00000000CB01}22644024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-2667-6193-2701-00000000CB01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056916962Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:55.790{B81B27B7-2667-6193-2701-00000000CB01}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-2343-6193-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000056916961Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:55.261{B81B27B7-2667-6193-2601-00000000CB01}43245892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056916960Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:55.183{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39B615852DB189ABD26FAE8B08A82FEA,SHA256=ED8EE6DC033B96009C26FE4706FB0E8860AEC0AC5E979D5F4D82C209ED5D2950,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056916959Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:55.120{B81B27B7-2346-6193-3000-00000000CB01}32043224C:\Windows\system32\conhost.exe{B81B27B7-2667-6193-2601-00000000CB01}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916958Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:55.120{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916957Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:55.120{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916956Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:55.120{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916955Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:55.120{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916954Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:55.120{B81B27B7-2343-6193-0500-00000000CB01}416536C:\Windows\system32\csrss.exe{B81B27B7-2667-6193-2601-00000000CB01}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056916953Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:55.120{B81B27B7-2345-6193-2800-00000000CB01}22644024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-2667-6193-2601-00000000CB01}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056916952Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:55.121{B81B27B7-2667-6193-2601-00000000CB01}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-2343-6193-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056916973Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:56.825{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98704948E038375C757E9621668F8C35,SHA256=2CFE2739550E05B40396BC364D322FD78829F79B228BF512BFE5AC07AA6EC839,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:56.213{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B38921FEC26D6F2172FA464D2E38AF0,SHA256=C37B8E1EBBFBD51B31F2DD7960192EF43DD26CE462FABFA82A704474D33600BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000056916972Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-16 03:32:56.602{B81B27B7-2344-6193-1300-00000000CB01}720C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7da9a-0xa56e9f48) 23542300x800000000000000056916971Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:56.305{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6B4874CDB965BA4AC9226194D4E8C21,SHA256=A0AC80AF69F989186D5CF017E591F4908A4DF663F330C7E80920E14195372240,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916983Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:57.888{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83E87EE5A05446A6C695BEFAEF82E00C,SHA256=447088767BE0D64CFEF0F9155636D3F8BC0C464BBEB17500353B9294F57000CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:57.228{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6DD4252B6D7D46A9E0A99951D9C0710,SHA256=D6F68E790F8A6DA6540805B95DE3DD72B311A04A80DBFE757C04CB3388F89700,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056916982Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:57.809{B81B27B7-2669-6193-2801-00000000CB01}54805756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916981Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:57.528{B81B27B7-2346-6193-3000-00000000CB01}32043224C:\Windows\system32\conhost.exe{B81B27B7-2669-6193-2801-00000000CB01}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916980Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:57.528{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916979Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:57.528{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916978Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:57.528{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916977Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:57.528{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916976Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:57.528{B81B27B7-2343-6193-0500-00000000CB01}416780C:\Windows\system32\csrss.exe{B81B27B7-2669-6193-2801-00000000CB01}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056916975Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:57.528{B81B27B7-2345-6193-2800-00000000CB01}22644024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-2669-6193-2801-00000000CB01}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056916974Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:57.529{B81B27B7-2669-6193-2801-00000000CB01}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-2343-6193-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000109966090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:57.025{3BF36828-989D-6185-BF00-00000000CC01}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056917002Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:58.934{B81B27B7-2346-6193-3000-00000000CB01}32043224C:\Windows\system32\conhost.exe{B81B27B7-266A-6193-2A01-00000000CB01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917001Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:58.934{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917000Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:58.934{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916999Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:58.934{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916998Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:58.934{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916997Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:58.934{B81B27B7-2343-6193-0500-00000000CB01}416780C:\Windows\system32\csrss.exe{B81B27B7-266A-6193-2A01-00000000CB01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056916996Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:58.934{B81B27B7-2345-6193-2800-00000000CB01}22644024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-266A-6193-2A01-00000000CB01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056916995Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:58.936{B81B27B7-266A-6193-2A01-00000000CB01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-2343-6193-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056916994Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:58.903{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=658FF2E9E08F480C2395EBE52580075A,SHA256=3E774FFC716895F24C263B79E0AA6E184AC7E9FB47E57BB96DB9171FFBE52591,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109966095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:11.446{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58690-false10.0.1.12-8000- 354300x8000000000000000109966094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:11.228{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58689-false10.0.1.12-8089- 23542300x8000000000000000109966093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:58.260{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91DBDDAB4E9B23A18AC61AF94DBF9B5F,SHA256=44D2B075F835E795D19266EEC676FECC9C1EFDCBAF767F0195C88C53CB84C281,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056916993Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:58.606{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BB9D1A956D1536EA34FB4F20A463C33,SHA256=EF3D0D310C869658AA81406111AC42615B2B60221BF8286B70890AB23D0580BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056916992Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:58.559{B81B27B7-266A-6193-2901-00000000CB01}35244560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916991Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:58.419{B81B27B7-2346-6193-3000-00000000CB01}32043224C:\Windows\system32\conhost.exe{B81B27B7-266A-6193-2901-00000000CB01}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916990Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:58.419{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916989Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:58.419{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916988Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:58.419{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916987Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:58.419{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916986Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:58.419{B81B27B7-2343-6193-0500-00000000CB01}416536C:\Windows\system32\csrss.exe{B81B27B7-266A-6193-2901-00000000CB01}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056916985Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:58.419{B81B27B7-2345-6193-2800-00000000CB01}22644024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-266A-6193-2901-00000000CB01}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056916984Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:58.419{B81B27B7-266A-6193-2901-00000000CB01}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-2343-6193-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000109966092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:58.025{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA991A5172BC193C108CDBE9071304F7,SHA256=BC2B58A3F953E40BC309F9F0CC871D85D8EEDC8731ED36BF7B35FEE73689FCD9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917006Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:59.966{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2352FF5E475D011D29568CAAD2000B6,SHA256=29E14FCB0E6D83FF9E585C139536D06BEA333AF6A6D1583A686C51E98922C65B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917005Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:59.950{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA501687224B78C02A140D67F0706716,SHA256=27C6971FDA20078FE0D8AAFA51EE5AF17B2C99250572DFF182C7D776189A24FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:32:59.260{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FAD2AB7F80EBD171926BAB7D7398204,SHA256=F7C20A63E4CCA33F6F048ECACE18B660EB45F90C3ED774C772FFD5A4C3F9959F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056917004Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:49.918{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local49992-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000056917003Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:59.138{B81B27B7-266A-6193-2A01-00000000CB01}6841792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000109966097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:00.291{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46B695C114BB0F62912427BF805E2AEB,SHA256=438669360703D318923AA0D75ED2829DB6F67AD86D1090EF381B11C32A3D071E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056917014Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:00.559{B81B27B7-2346-6193-3000-00000000CB01}32043224C:\Windows\system32\conhost.exe{B81B27B7-266C-6193-2B01-00000000CB01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917013Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:00.559{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917012Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:00.559{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917011Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:00.559{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917010Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:00.559{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917009Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:00.559{B81B27B7-2343-6193-0500-00000000CB01}416432C:\Windows\system32\csrss.exe{B81B27B7-266C-6193-2B01-00000000CB01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056917008Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:00.559{B81B27B7-2345-6193-2800-00000000CB01}22644024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-266C-6193-2B01-00000000CB01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056917007Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:00.560{B81B27B7-266C-6193-2B01-00000000CB01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-2343-6193-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000109966098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:01.353{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE0721F7B3F5D757BE4770A7A63C7893,SHA256=F18B9866C7117D3B08EC5FC61AC4A567093053985BA64591350AC090EBB2D17F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917016Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:01.575{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BEC141291B15411AA82D9D5F068CE6A,SHA256=185EB8FFBE4480BEE9E21035A19469B10C8292A8B94F93A87DA47D18DA4C3648,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917015Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:01.044{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42DA1796BFE3F39A72687FCFB082606F,SHA256=ABE2F128E0AF6836D4A853FDAF911EE4A1AE3C1D515FEEFFBCF75D56C9F5064E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:02.400{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EEA6148FE860C295E60DE0CDCAE4E05,SHA256=2F7FCC2FB3F20FC8FB5AC9D88E7D2A6FA325D548125FA22C70BC952CCD28070F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917017Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:02.060{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAC69FE570FE49EC7B6FA5EA1C6DA1EC,SHA256=A73D142F73562F888ACC1A96A0331764E7F5CAFEEB138C4B07171C5B9E1C179B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:03.494{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E661D85E6F4EB15786FEEB7B28AC2ABA,SHA256=179EEEABFC16629BC92652432A1F06E8FF7A97BBACFB255BA4C10E141E4287E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917018Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:03.075{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC35F15E3BEA574BE358653749D55EFD,SHA256=6F86B92138AB9E07A5A27A2E20B11237E9C8F06E9AE65A4F60B9B827849A9F7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109966104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:17.353{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58691-false10.0.1.12-8000- 23542300x8000000000000000109966103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:04.510{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01D6BCA10FE91661E3204FB001DFD8A9,SHA256=4E9CDD7518219F6F5BB5279D210537382D852F610F46068E31CB22C63BB91B31,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917019Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:04.310{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6FB2D27AA78584D16242AAB6AE90761,SHA256=66E0AFAE45D7478192A125D0F81DC4D09C96C8D2FAB74966EE4B5439A0EFCC99,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:04.135{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE4B229C905AB2340F9B824785406581,SHA256=01424033807504D0128FFB20C3D738C9F8DD1BA84F2D87E9559790347252E63A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:04.135{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07212D39E454AFF3C9E8A04F2E0EF0D6,SHA256=872E980667D345D81126A0F300F12966843C8FB34FF47885B79F93A6C1015D39,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:05.510{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E64130AA979E942273F2824F9EF1B4D7,SHA256=C9DC518F516585A2DEDAF8FE5161607E80752CC99829A6A11A0898988186DA1D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917020Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:05.325{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF584B6B6E48CB402FCB395AB6F20A76,SHA256=5351292CCDA21B47EFCAB0B77691F029F35A99B2B429F5DBD2BEF84A37FF9FE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:06.510{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39ABF864A37C83F89F0665C02D8A6A62,SHA256=9555A79414C48108AF70613A8D83AFCB71DAFB71B2AC717C04A5AA30204A83E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056917022Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:32:55.887{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local49993-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000056917021Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:06.482{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF85AC964914205B6C87CBCDD6440E34,SHA256=440DB304732E8C58B4C96559218E8CB6221F6F0B928C7D3E5448F2DDC35B9BB2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917023Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:07.513{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5272416777F40417D46D96C613BACD8,SHA256=384EBC27C8FFC49CC4D76A09B160EA5F06D4DF652606F6B10FF5EC5F1B7FBE41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:07.510{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADD7D443C7295CCF153DEB31FF4CFFF5,SHA256=D9FE543A4D291BBF892D67BB3B0052F6CBDD6ECAC3B9AA192488B23C99CB9A06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:08.510{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FC87D0705E1A5FD6C26B458484FB2F8,SHA256=B56A21DE6E80A0C74E40DD041AEE7D574BA8AEB091869D0570AFA702D019C415,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917024Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:08.544{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00CAF6BC100700393507425BBA9C03DB,SHA256=53265FAE3E169A5835A7506241BD1444E130FBC752CFAECAF397EB0537A41F7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109966112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:22.431{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58692-false10.0.1.12-8000- 23542300x8000000000000000109966111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:09.513{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79AFBEB646AA237B33E6B459CBE375E6,SHA256=7FC267040DF891285CA8E9BE8D8DDD408737883390B3B5188D78ADF81C7CC569,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917025Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:09.559{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44231DA07D8CFBDEEE8E20822AB09926,SHA256=33C408C81F2572B186B89EAFB39A6EDDD6657F667AB4C11B69322866D0BAB967,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:09.357{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08863CF7CC1BF6C5EEB61901D09E65C5,SHA256=43D6A04279433568E4B77AAC8EFDE8A2F476E6F01C381BA828CB4995CD95A975,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:09.357{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE4B229C905AB2340F9B824785406581,SHA256=01424033807504D0128FFB20C3D738C9F8DD1BA84F2D87E9559790347252E63A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:10.515{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C53C0DED8B1DCB57B657DFC23EB14C5,SHA256=463843C6B5F4D527AD80815EA6C9413CBAE31704B2AE8FDD8A22534EDE4B2E20,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917026Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:10.575{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CDE0E4E6B38677402CC29CB873955FF,SHA256=CF616450F40DFA08488F47433C6F2601B0B45DEFF399AA0D7D8A8646C9F37EFB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:11.637{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A9482B35AABE4E6C0FC6CC31E199C82,SHA256=7B61D52C794805857B9D5560B6BA90C9F438916BF2CD842B9A9FAA31DE127848,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056917028Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:01.855{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local49994-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000056917027Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:11.606{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66D1E6180A8E59E921F51EA1F7BF8145,SHA256=C59E5EA86E48CC3243F05447B0B6DBBD8125941102268449E9D7503BBFF5C537,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:12.828{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=881B17AD7CB11C247170D80265FBD6C4,SHA256=673C7159504827C6E3DC8335DEC579F877948A59C32D3C01431EA5AF2B4768E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917029Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:12.653{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4328A95A5993DAEE8AA7E2FFCB514A69,SHA256=58A3EAEE66A51CE4D245B5634288EAA46A358115783EC83C8A50E033B40CA69E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:13.843{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46B92150BD66D816F45F2EC5BCDF4A17,SHA256=08C76F104DC9CA8E2DDBDF9C0F599573BBF9B362A83EF23FDD921C225D7B7C15,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917031Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:13.653{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4CBE3837458DD76DEB45A1574EAC78D,SHA256=6B8F1940C42F5ED0F6F40DE6DCEA57431B4B1323E6B3B4AC5778E5A2C8AA0555,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056917030Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:13.262{B81B27B7-25A9-6193-F800-00000000CB01}38243128C:\Windows\servicing\TrustedInstaller.exe{B81B27B7-25C4-6193-1101-00000000CB01}4372C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\combase.dll+7cda8|C:\Windows\servicing\TrustedInstaller.exe+43a2|C:\Windows\servicing\TrustedInstaller.exe+1d1d|C:\Windows\servicing\TrustedInstaller.exe+28c6|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000109966119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:27.452{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58693-false10.0.1.12-8000- 23542300x8000000000000000109966118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:14.843{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3E41222BF1CB88BC79364344A2D641C,SHA256=44D4BF54A1E38CA33698B4F930C7BD282E4EDD2FB561955843E16D44E3C45AF6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917036Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:14.669{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=877CBADC3C6A3FD239DB18D668D77F92,SHA256=F3D162C2E4E83BF26606A76241E373B327F65A2C44696CFC44886FE9FC40A03B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:14.250{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08863CF7CC1BF6C5EEB61901D09E65C5,SHA256=43D6A04279433568E4B77AAC8EFDE8A2F476E6F01C381BA828CB4995CD95A975,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917035Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:14.341{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=FAFCFBB8FB357A32684BCD863DA6B140,SHA256=EB9FB7482D3737ED4E39EBCCC64E62D68401391A030FD93C196B1B6C850C9A18,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917034Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:14.341{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=58DB8008E99DE59AAECE5B5DB5DB4922,SHA256=7CDE41F8C69EB4E1FB752A784128FDAF9BFD61D100C16991472A0705A3FF2A79,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917033Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:14.263{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64F02A48C28DF9EECB2BF68F38C6F026,SHA256=2A9AEBED2BA91044AE0C8DA10F860121D9408526044343C49432268275302CF6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917032Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:14.263{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91C487A6B3325D27EFB016CBA1ABC561,SHA256=F7A921E6270F70E97FD5A955B1B4D8597E61A8055659453BB5219FBF03A208C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:15.921{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D74C5363368E64FFF9886EEFC7A2844,SHA256=A3C78D877DAFC714D0CF61F42786AE5023D554821F584E710F34919A2B298982,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917037Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:15.716{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02995053E637B92B4696E7F99E8EFA8A,SHA256=5D00339A8E5C50179CB77FDC666CBD9F39CE37B4AF5C09D675C820AEFDDF7243,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917038Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:16.747{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA62609D6C706A8C21B0F6CD301CFC1D,SHA256=C05657C537C8D3F0F905DBFFC911DA2B313711E53D59B596DB067FB5E34A9D52,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917040Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:17.763{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA5868E9DA51B7054DAA30E1839A6138,SHA256=3CBB4559AFD97AD5BF65FF7D8B8615AC241E6A087B34972912959044429101D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:17.156{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4EB4645F4042CCAE8AE35870F789907,SHA256=A29DC5F2256A9A99CA2E95997B49D1DF3F341C11ACAFD4022741AC3EEFE65AAE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056917039Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:06.855{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local49995-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000056917041Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:18.794{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A7A1E451197CFDF5C102340B9356B72,SHA256=3662BC9E68DCF1ECC391C2FA6B2780538DC09A6F7191DA88EE7A8E15BBF7088A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:18.171{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07B108E957AEA5BE375205FE80234FD4,SHA256=C21B235F5B907BBC63FDCB6BE5B16C6727831A5FFD24474721566B81FB449D98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917042Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:19.810{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC45E5BFEA7E9FED2CAAE4B89563485,SHA256=DEA92602C1D425FE07C15F2846C7DEBA56A9D116F008FFCEA5EFEA18E2A4A8B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:19.187{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC9D021C8621FC1F723D7807B96F955F,SHA256=7A4851D80C8F9EFF2874C31985EF104C9FD5460A85D356321E3C1496F363EA18,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917043Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:20.810{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71793C10775B9DEB25EF1F7799117FA8,SHA256=3EB410990A0769DF28A5E756E3499C292EA9E520C839950C170FBC7B652E8B1E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:20.234{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7EAC3F41C1353BAE8BD46A5E8561F05,SHA256=58C7C848B55419D16CD002EE42FFD55192ECD69CDB9776A127E9D0A49D56BFE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:20.109{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B61594E720E95FBEB92051E68016E076,SHA256=BE8D6C52AFCC64C69A7D0A9AC3F2BAAB6135F3A8AAD581906BF11F34E4B93FF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:20.109{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE4C211EC704C114AC8627170E6C9448,SHA256=13E367F1E0D0B00B584A2285DA9C9B607C8DD36B134ECB564B1DFDD233366385,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917044Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:21.872{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF87F9A43B2ED4199CA37A251290D393,SHA256=3EF849908A3C6DC4011EC935C78EE48B5AEF24C4244098E03137C11E7A2182AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.984{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=558DEE6F2E94CEED27575EB5308F1FF1,SHA256=3119E7D13A62D2DD7CE41CA9C077CCA0A484B98F1B1F9585EEB49AED015A4E97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.984{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=9428BB8F1671A6123B0B60ACD12FF4EA,SHA256=1BB55B5AD887BA7E234D153F39B2DB4E8462A5E1F26BFA35D166B06F2835D1B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.984{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=9FB419F6C9DB3AF7E8DFCBB2E575894B,SHA256=F5AB36FC5558591FB51C30DD454538558475FAE7377E43673ABB632BD05EBC4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.984{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=11B751ACA4B07F0DDD1EE98EB5895BB2,SHA256=16D112F2BFE6E7416740C898EF607514A8D2DBB80001EB6708F5BDEC599DCB1D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109966319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.968{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\BCP47Langs.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)BCP47 Language ClassesMicrosoft® Windows® Operating SystemMicrosoft CorporationBCP47Lang.dllMD5=F688C2B9DD2EB56C3B0312B6380338AA,SHA256=B22DB210486D3B5F4EEB17900C5E7AA0EEFEDBB068A0C4858EFE9F8018C34628,IMPHASH=31EA1856BC7597303D8126028BBFDFB8trueMicrosoft WindowsValid 734700x8000000000000000109966318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.968{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\Windows.Globalization.dll10.0.14393.4169 (rs1_release.210107-1130)Windows GlobalizationMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Globalization.dllMD5=D48D3F64A7718C672CDEC0B7A8CB7695,SHA256=C459390E3E67665FC2413469F8C29544DB9421D14B6C40F68B1674C924898B71,IMPHASH=0280A5811869EFED56B453A140477D51trueMicrosoft WindowsValid 10341000x8000000000000000109966317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.968{3BF36828-9799-6185-1000-00000000CC01}4441640C:\Windows\system32\svchost.exe{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.968{3BF36828-9799-6185-1000-00000000CC01}4441640C:\Windows\system32\svchost.exe{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109966315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.968{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.3986 (rs1_release.201002-1707)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=047D26DCED07A10913C3E7C3A7502BED,SHA256=143C661F79AC6BB271452A10C2A19F6B1AAAAE43B4062B6CFF173F7D8ABC40FE,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x8000000000000000109966314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.968{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\mscms.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Color Matching System DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCMS.DLLMD5=85508B678B5852611B112F61858CFC9B,SHA256=88BEBDCCD2532A4D62C4D5EFE475590513BAA7C90C0885FC68DC4451BD06DF8A,IMPHASH=9C1E7CCABDEA296D63CB0D1AF20AD0E3trueMicrosoft WindowsValid 734700x8000000000000000109966313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.968{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ResourcePolicyClient.dll10.0.14393.3808 (rs1_release.200707-2105)Resource Policy ClientMicrosoft® Windows® Operating SystemMicrosoft CorporationResourcePolicyClient.dllMD5=8FD5FEFE4E020BBC2D95F07BCDC84F71,SHA256=E5E351822CCDEBF81C47C4CA1D5C158E2880C1BD29CA024D163FD9316F3046AE,IMPHASH=E494F732179E765F2CE18BC21CDB1948trueMicrosoft WindowsValid 734700x8000000000000000109966312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.968{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\dxgi.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)DirectX Graphics InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationdxgi.dllMD5=3C32D763740C83DB2C44DEA4B6F18C54,SHA256=ED26DBB9C3656767CA25887CDC3B45CF978AFC75E064FF5457A36C7A69E55223,IMPHASH=83736A76214A92F5C1B53248D0C22863trueMicrosoft WindowsValid 734700x8000000000000000109966311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.968{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 23542300x8000000000000000109966310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.890{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Local\Temp\MO398D~1\cert9.db-journalMD5=A03A4DC56B6DC6C53E953E05A7D3C1DD,SHA256=125923F50A91CBCE6CD8AD2C9A3B3CB0CD637162A8B89EC41487E6493FDF7C95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.859{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Temp\MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate-90\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000109966308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.812{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.812{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.812{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.812{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.812{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.812{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-2681-6193-F598-01000000CC01}6420C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.812{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-2681-6193-F598-01000000CC01}6420C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.812{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-2681-6193-F598-01000000CC01}6420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.812{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-2681-6193-F598-01000000CC01}6420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.812{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-2681-6193-F598-01000000CC01}6420C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000109966298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.797{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6941F866A7986BEBBB9F34053094FD9C,SHA256=5FBC321BA867356BF9817DCF851F2411BF52BB30C5F60134D31397B7AF5927C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.750{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A5907211B605E9DCDE8059B66E84CA4,SHA256=3D5F42E806F84521FF73B78B448BDDF4D4173677BC3620D108B1691CFF76AA9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109966296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.703{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88ED,IMPHASH=6097EA32A6AE2378711DDF884725A2AFtrueMicrosoft WindowsValid 734700x8000000000000000109966295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.703{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94C,IMPHASH=98E0DBCEA076EF80E7DE241072E34656trueMicrosoft WindowsValid 23542300x8000000000000000109966294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.703{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Temp\MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate-90\cookies.sqlite-journalMD5=DB7D803BF649F64F573FE04722BC7CD5,SHA256=619C41745A722E66B41DE2D4B7A9C9727E6C99C71A31D81E66C43CC6502074B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000109966293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.687{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-9799-6185-1600-00000000CC01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109966292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.687{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winhttp.dll10.0.14393.4169 (rs1_release.210107-1130)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=24995B62FFC2519B34A2145673BD275F,SHA256=BB7D4DE1BE6111462F65F999A8969DA04113F15A80D534A93D3CCC76A9FE1F22,IMPHASH=F1FC6BF3699C289EBAF914A7771E49CDtrueMicrosoft WindowsValid 734700x8000000000000000109966291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.672{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355,IMPHASH=FE994282C73F9AB11AC9B6E37AC26B47trueMicrosoft WindowsValid 10341000x8000000000000000109966290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.672{3BF36828-9797-6185-0B00-00000000CC01}6366520C:\Windows\system32\lsass.exe{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.672{3BF36828-9797-6185-0B00-00000000CC01}6366520C:\Windows\system32\lsass.exe{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109966288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.672{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000109966287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.672{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\iertutil.dll11.00.14393.4283 (rs1_release.210303-1802)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=5541A4A7FB64063F8AFB192ABD4DAE70,SHA256=AABF2E6C392F29B77F076BF705976B68B3100138BC63060335BD154B8417754D,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x8000000000000000109966286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.672{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wininet.dll11.00.14393.4402 (rs1_release.210426-1725)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=27D3D531D0EA9B3EE7F54C4DE5A15946,SHA256=05254BA3332E887C9F97D42406A7C2CEE4DF405ECAF39391968FD472CC4F1F89,IMPHASH=B3ABC7D59C2B1ACAEECA63C53B0AAC4BtrueMicrosoft WindowsValid 734700x8000000000000000109966285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.672{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843,IMPHASH=EAA4328F5E33714FA08C71E4AAE43CC1trueMicrosoft WindowsValid 734700x8000000000000000109966284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.672{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4,IMPHASH=B6A1A16A2B5E910045E998CD7709E966trueMicrosoft WindowsValid 734700x8000000000000000109966283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.672{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\PROGRA~1\MOZILL~1\osclientcerts.dll94.0.1-FirefoxMozilla Foundationosclientcerts.dllMD5=C9F27E734AA207F3AD46769A0ECFFAD7,SHA256=5374D277A5F8CE460CB79A6DA593FA8605313B7B4D725412B575A24677DA4000,IMPHASH=AE2A83FF01847D05C6EFE5C74164B268trueMozilla CorporationValid 734700x8000000000000000109966282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.672{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\PROGRA~1\MOZILL~1\nssckbi.dll94.0.1-FirefoxMozilla Foundationnssckbi.dllMD5=53095F0B4A5376D923D7FA86A884A49F,SHA256=A64A6E08B8E5CA00E58B2B0665F1425AAF72ACC3CB3905E36DD90F3A021FF31A,IMPHASH=5986500029C9F7E013CB3FF371CB6F5EtrueMozilla CorporationValid 23542300x8000000000000000109966281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.672{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Local\Temp\MO398D~1\key4.db-journalMD5=B510CD6485BE405351E316A9C955943D,SHA256=7686AD68437B9C01C0E2BB63F76C84377E793852D47A3D08DCB3527B1EEB3B0F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.593{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Local\Temp\MO398D~1\key4.db-journalMD5=5CBE0CB194698959A40505EE701B5EAB,SHA256=1361479FE0AE4497C8038F02C98E71E8D000D888A0500B0A9D3AFFDE1CBA769F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.547{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Temp\MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate-90\cookies.sqlite-journalMD5=185C96292EA1307F9E9BB65E736A6EF7,SHA256=BABCF0CC05A42CF6DBAEE746A997B745BDF30E05A5B36E45382196F54272625D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.515{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Local\Temp\MO398D~1\cert9.db-journalMD5=E004F26D8D33EEF80038A37D5B8738FD,SHA256=40306CECA532E0A244E62A1085AA296DF964971207B7871D2A22FD4C7F3BB031,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.453{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=521389C2685966C82A747FB3B95B06DF,SHA256=218DCD8F05673031720DFFD4153041EFC8C2337C55972104A4B44190547AFE7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.422{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Temp\MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate-90\cookies.sqlite-journalMD5=2CC53D81C99CC9F8E927FC35806E2623,SHA256=4FCA9F318E106AFB4E4F67653FEC88F7AFDC8A0F1EBA0DFE350C54041E34817D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.422{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=5B9E6A1031448D0F247EE18D7C68E170,SHA256=AD8B09A9A1108A950DCBC82F4E39345292EB93E1244ED2C7F92CC0733D3841CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.406{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=F2F163C68A911C309E9D727BCAD0CBEC,SHA256=878C128778E8F8C62DDEC0C1EF65A20162A476DE1E8A7468E9FCC75391EC62A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.406{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=D666DDF069C8A504C14259BED154EBB4,SHA256=3BB3A475C081BAABD31F0B5E1693F9247BBE2B2F8AD503B7885ACA3746CB127D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.406{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=D010E996269D06F4BA7B8205E0D0F641,SHA256=B08757EADC5B2EDD6705B5AADAE42B82FE9975E940B3BF3A301438293F76C72C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.406{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=7E23E20BF483F3DC52FEEE3B7F89E6DD,SHA256=4BB357CABDCB93CE0E722122FB415C925F7FF3354C048316E5C3B16A93AFE07E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.406{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=ED73154CE20892556BE85BBA324C860A,SHA256=2698AF3354C281C96C61A1AEABC8026BEEC687F4DF8B6DCF82F4076660921D45,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.406{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=E226F5F9C60E7BA8ABA7B8E82C787046,SHA256=640561586227AFC1183B7435ED7915C27D592B03F8828F15D003E8A9322B2F00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.406{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=8BEC1B1651669CA1A09A92BA1F8480D6,SHA256=8A5DBDAE6A93C5F0721A13CC70DBB449B6CBEAC7C4703188BCC28327C6B92066,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.406{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=7630574018877E9CCDC712A1EB2C484B,SHA256=6998B1EA394FC688343C1B8F00B956DC148F97CEF76FF822F3E5FD2167A4B1F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109966266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.406{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000109966265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.406{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 23542300x8000000000000000109966264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.390{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=A2DEC02BEA2DF77F74D5565EEBA35D3E,SHA256=07FCB7A56E1B5E052B4CC31A2B6BB27F132DF478C5EC19B346A399D93EF58456,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.390{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=75EC632384406AF48D9F36B069B90406,SHA256=B1385732F7AA9A6C8AC4E58661F9BE3D193B13F6EAEF8383155F3DE63F428E22,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.390{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=0367F3A30F1097F8E198E2A43D784437,SHA256=023AD855EF330474D40732BDAEC37F65FBA2BB67F7B8C20C5568684BF48ED092,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109966261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.390{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imagehlp.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT Image HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationIMAGEHLP.DLLMD5=E1C665DC0FD5A7423B0C0F5325A1027F,SHA256=8B84BE9335EF640ABAA8E8BBA45C6BC77F2251359D4BCC157235CB4BC107AE69,IMPHASH=C88C4D131D277C03F0879B4E0D5679DBtrueMicrosoft WindowsValid 23542300x8000000000000000109966260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.390{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=7883D83F9FA134820D25F9F5013D54D0,SHA256=A38E6AD9D6073C15BC36BC6A8D39B390FE9D4F089013784673406996DFD311CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.390{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=079803116615A34706AB5EB95F94576B,SHA256=946E951D84C7B9DC785BC625DC94E090F6047F1C679C565F1D613D9510449488,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109966258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.390{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll94.0.1-FirefoxMozilla Foundationfreebl3.dllMD5=6D76A7ADDFDF664DB175AE2EC46BA5D4,SHA256=63F6227E78B46D4B834AD22C0D3BEF6DB76F9C8A329417A05E079080B0971E78,IMPHASH=53652A7DC9DFE48EFEF7CDBD318659AFtrueMozilla CorporationValid 23542300x8000000000000000109966257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.390{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=A133E5F379ECF3FA6FE33E1B04EB627B,SHA256=E8C203BF0CAF5CB6C41ACD9BE4541769FA50425CAF483D6E89556F295C323FC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x8000000000000000109966256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.390{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Local\Temp\MO398D~1\pkcs11.txt2021-11-16 03:33:21.390 23542300x8000000000000000109966255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.390{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=355989D6FE4103B23130B1707E1971E1,SHA256=0D9D443EEDA2AD9A88CC2AEB48C45537BA08616CBB0F675EB1A66B1217A17165,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109966254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.390{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll94.0.1-FirefoxMozilla Foundationsoftokn3.dllMD5=804DF7C366FB4185DD6609E95E6E5E21,SHA256=D93D28D182736F5A292830CAF798DE302B78B01FB1855647199BCD911A50579C,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 23542300x8000000000000000109966253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.390{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=129A1CC74FDF1B40D66E6D726E5E384D,SHA256=B0649E483E12D7E70011DC66657A876402FC15A0F1F6F955BBDE74A733C93E66,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.390{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=DCF6B03B96E554E5995BD8641F72916B,SHA256=D44B53A261E98798368765AFA881291415C18DA01DF1439E1BE3C5FF6F3FF57B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.390{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=3494051ADFC61BC90126C13533EAD149,SHA256=82F5232576D0E6521DB03BF0F4B0A5FE44D996A6F2E30034228CEB6986FD8908,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.390{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=75703070D76CEEBCE9D8C3C22B7C2D68,SHA256=948E7792E1444E33709423C1E47832629BF78827F2939AF9F35E17B7293D7BD4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.390{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=1593B52D9788065B340B134876245DA6,SHA256=98BE7AEF33B50FC47E89CB3926AF280E154465CBEE23DEF00714A2771A532ED2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.390{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=75703070D76CEEBCE9D8C3C22B7C2D68,SHA256=948E7792E1444E33709423C1E47832629BF78827F2939AF9F35E17B7293D7BD4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.375{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Temp\MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate-90\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109966246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.359{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x8000000000000000109966245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.359{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\MMDevAPI.dll10.0.14393.4169 (rs1_release.210107-1130)MMDevice APIMicrosoft® Windows® Operating SystemMicrosoft CorporationMMDevAPI.DllMD5=CF179D8A655703FDD273891432EBF588,SHA256=722863E48713AEDC9E7EA95C181CAAA389B147BCE51A7E815F0D4189AF92B6E8,IMPHASH=A9DFEC2D392C78A08CC45D2B95165EEAtrueMicrosoft WindowsValid 23542300x8000000000000000109966244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.359{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\v9017qz8.default-release\parent.lockMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109966243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.328{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\dhcpcsvc.dll10.0.14393.3930 (rs1_release.200901-1914)DHCP Client ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc.dllMD5=CD3B9633BBEF2102C4665A2C39EC0B1A,SHA256=341EFB4806BE39E09AA90CA3B069C39F2A9D61FA9B512350B2721D41875AFCAE,IMPHASH=9A2F821D250C4CEBC0627590331B869DtrueMicrosoft WindowsValid 734700x8000000000000000109966242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.328{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\dhcpcsvc6.dll10.0.14393.3930 (rs1_release.200901-1914)DHCPv6 ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc6.dllMD5=1721EAC44BCFC7177AA664ADCA514F23,SHA256=C099BCCE44A04A48147DE8CF093EBF997510154113789BF31394B5148F60B375,IMPHASH=1278B10B4CD792CEC37AF93D76A387ECtrueMicrosoft WindowsValid 734700x8000000000000000109966241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.312{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\WinTypes.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=AAA321C636929D23C58B5A78EDA04B61,SHA256=E33D62CC132B8D790B3604DBE227CD2A270E30C1B71881BB4E3B00732CE56E5C,IMPHASH=58F905117CF0434AF54A7CD9D43EEF30trueMicrosoft WindowsValid 734700x8000000000000000109966240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.312{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ExplorerFrame.dll10.0.14393.4169 (rs1_release.210107-1130)ExplorerFrameMicrosoft® Windows® Operating SystemMicrosoft CorporationExplorerFrame.dllMD5=BB0850797E5D50E70FFB3FFCEBFE77A9,SHA256=042F69100AAEB04CF79872035422A033FB87F2F0113EE89AB6B61FFA41A224D8,IMPHASH=BE381F028EB6D274783D5F8AA4F3DCECtrueMicrosoft WindowsValid 734700x8000000000000000109966239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.312{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\twinapi.dll10.0.14393.4169 (rs1_release.210107-1130)twinapiMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.dllMD5=40E4471EAFBC1AB4D40288BF005AB895,SHA256=E93454095918346B3426D55704F02DF6FBB1B840BF969CE619E3F10BA0AC9A44,IMPHASH=BE2A18E7131BB697F5E7CE37E2AEC582trueMicrosoft WindowsValid 734700x8000000000000000109966238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.312{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1,IMPHASH=77951C1B66390D48C5FC7B47D7C8668AtrueMicrosoft WindowsValid 734700x8000000000000000109966237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.312{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\twinapi.appcore.dll10.0.14393.4169 (rs1_release.210107-1130)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=B877C5BDEA2215B3D3CF89F645EB535C,SHA256=2F5468CC4277C8CB4B2AD1095AFC739ECAE0F0B6EE78E57BF64A97F3BDA54C19,IMPHASH=52DACB9FFE8B422785C607A5B88982C7trueMicrosoft WindowsValid 734700x8000000000000000109966236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.312{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DataExchange.dll10.0.14393.4169 (rs1_release.210107-1130)Data exchangeMicrosoft® Windows® Operating SystemMicrosoft CorporationDataExchange.dllMD5=23F499FA8F8E02A8090FB78E80617BDD,SHA256=08C2E505F3765D98379BB88DC8AD5555AB680A691054933FCA1A2CFCDFA42F51,IMPHASH=05056B92E29CCE6F97F9C6674AE080C0trueMicrosoft WindowsValid 734700x8000000000000000109966235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.312{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\npmproxy.dll10.0.14393.4169 (rs1_release.210107-1130)Network List Manager ProxyMicrosoft® Windows® Operating SystemMicrosoft Corporationnpfproxy.dllMD5=4D76C6FAF3D01B31A68C9ABF95F4B7D4,SHA256=9B771613C067880E99ED3D68E6C2A43C6B252E899D44682ADEB5A7F02E925920,IMPHASH=55727E718711848BBCDC7F433974B473trueMicrosoft WindowsValid 734700x8000000000000000109966234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.312{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x8000000000000000109966233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.312{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\nlaapi.dll10.0.14393.3808 (rs1_release.200707-2105)Network Location Awareness 2Microsoft® Windows® Operating SystemMicrosoft Corporationnlaapi.dllMD5=63EB5F68082B8C8C392E5DAC1D4EC678,SHA256=58EC364601FA6FE26525D8ADB44B7EDEFCFB73E72897C77B6E37F73E1C7BF871,IMPHASH=0B7F4620EB804B43452C1AFA5341A2C2trueMicrosoft WindowsValid 734700x8000000000000000109966232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.312{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winrnr.dll10.0.14393.0 (rs1_release.160715-1616)LDAP RnR Provider DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationwinrnrMD5=B0DE13ABF238AB28E963629B977A012F,SHA256=43288C8A658C2F0CB0CB1C9D874506D6CEEF455AAB68CE2EF0D685DE8E3BA0C3,IMPHASH=77C2BDF68EAD031D294626FB2F3033A1trueMicrosoft WindowsValid 734700x8000000000000000109966231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.312{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\netprofm.dll10.0.14393.4169 (rs1_release.210107-1130)Network List ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationnetprofm.dllMD5=02AD37C3C2D54BCD9E7BD2AFF3D6E7A6,SHA256=D71D631EC1790A9BD9451EFAEFC7EBADE6353A17CDBB4D8AAACD3102430A686E,IMPHASH=421DFA99869D231800F1E7ABEE7E4DA4trueMicrosoft WindowsValid 734700x8000000000000000109966230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.312{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000109966229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.312{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000109966228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.312{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000109966227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.312{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202,IMPHASH=0E9C1FA273A5EFD763FAC8E145B20C80trueMicrosoft WindowsValid 734700x8000000000000000109966226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.312{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x8000000000000000109966225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.312{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\NapiNSP.dll10.0.14393.0 (rs1_release.160715-1616)E-mail Naming Shim ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationnapinsp.dllMD5=71514D9A6350A37B4F0BAA6ACB751771,SHA256=5DB99D6784900D85BB4A62E9F40B4EC628054D41B38A5E93F80C7A8BB066EBBB,IMPHASH=8D3297F500E5144336C044019A1ACFD4trueMicrosoft WindowsValid 734700x8000000000000000109966224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.282{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570,IMPHASH=2E790E44628AED89C2CC17E1E4A5CE1CtrueMicrosoft WindowsValid 734700x8000000000000000109966223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.297{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000109966222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.297{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=1AF6CD8B7CE4A852F67AA98C71AA1D26,SHA256=EF0DE008500A8C9C7908383AF11AE55845EBBE28C96C013EA720950BA89D3D28,IMPHASH=A90D5BC867A86FBF8F4557CE6F216093trueMicrosoft WindowsValid 734700x8000000000000000109966221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.282{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4225 (rs1_release.210127-1811)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=BB0ECCB8A72B5926A58433666145D459,SHA256=9C082B0EF00A6E174062634F0421B1179D27BC9077A5C0B1FEB2AA74DBAC2E68,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x8000000000000000109966220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.282{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KBDUS.DLL10.0.14393.0 (rs1_release.160715-1616)United States Keyboard LayoutMicrosoft® Windows® Operating SystemMicrosoft Corporationkbdus.dllMD5=974F03FF3BDB6786F890329340E29CFF,SHA256=D02BCC19AB89EE188DD31D17DEBAECDE26CFC0B30B6E5B0CC5889CCC85202E63,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109966219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.282{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msctf.dll10.0.14393.4225 (rs1_release.210127-1811)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=1FD254D30743876981194F7E17ECDB6F,SHA256=0CB67AC140097A888B7ED85C9A31F8967D16661B82557CE5D61FA70A85BDF8B8,IMPHASH=BC8DDE4D2412D48001350313FD2B7840trueMicrosoft WindowsValid 734700x8000000000000000109966218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.282{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000109966217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.282{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000109966216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.282{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll94.0.1-FirefoxMozilla Foundationxul.dllMD5=5AB4AB5245C9832A1847194E91D7DD26,SHA256=1BBA050C471023C7E0DE0BC8D01A6A2219093A3A07C5718BF572C44F9305BF0D,IMPHASH=952EAD1A10A1153149B4EDF865D718E5trueMozilla CorporationValid 734700x8000000000000000109966215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.282{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll94.0.1-FirefoxMozilla Foundationxul.dllMD5=5AB4AB5245C9832A1847194E91D7DD26,SHA256=1BBA050C471023C7E0DE0BC8D01A6A2219093A3A07C5718BF572C44F9305BF0D,IMPHASH=952EAD1A10A1153149B4EDF865D718E5trueMozilla CorporationValid 734700x8000000000000000109966214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.265{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll94.0.1-FirefoxMozilla Foundationlgpllibs.dllMD5=D5EC8CD448D08D035EDD4DD748450689,SHA256=93AB5BADBA0FAB23BA4DE84AFE1D0EF3763BB4FD207CBF280BE5D5E19E3FBEEA,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x8000000000000000109966213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.265{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll94.0.1-FirefoxMozilla Foundationlgpllibs.dllMD5=D5EC8CD448D08D035EDD4DD748450689,SHA256=93AB5BADBA0FAB23BA4DE84AFE1D0EF3763BB4FD207CBF280BE5D5E19E3FBEEA,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x8000000000000000109966212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.265{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x8000000000000000109966211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.265{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x8000000000000000109966210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.265{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 734700x8000000000000000109966209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.265{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000109966208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.265{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll94.0.1-FirefoxMozilla Foundationnss3.dllMD5=EB453FC52EA06908F0E06A4D28A2FD4D,SHA256=2616C0F8543B0BDFDD2878E4F7F3F0C776EB18153D36A110B8345C68FC8967E3,IMPHASH=0DFC68B8DD02D4E1CB73F90762A0E3D7trueMozilla CorporationValid 734700x8000000000000000109966207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.265{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll94.0.1-FirefoxMozilla Foundationnss3.dllMD5=EB453FC52EA06908F0E06A4D28A2FD4D,SHA256=2616C0F8543B0BDFDD2878E4F7F3F0C776EB18153D36A110B8345C68FC8967E3,IMPHASH=0DFC68B8DD02D4E1CB73F90762A0E3D7trueMozilla CorporationValid 734700x8000000000000000109966206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.265{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll94.0.1-FirefoxMozilla Foundationmozglue.dllMD5=35C894D9D2E10A18DE2A3C68124C5094,SHA256=CDB8CE7B7C73D362622FAD20622C5EEE20FD33F622A8B3DA9182574C8367CBCB,IMPHASH=83933F44E572C4BFE23EF51E82A89358trueMozilla CorporationValid 734700x8000000000000000109966205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.265{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000109966204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.265{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000109966203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.265{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000109966202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.265{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000109966201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.265{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000109966200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.265{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000109966199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.265{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000109966198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.250{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 734700x8000000000000000109966197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.250{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109966196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.250{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 10341000x8000000000000000109966195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.250{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109966194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.250{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 10341000x8000000000000000109966193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.250{3BF36828-9799-6185-1600-00000000CC01}12721960C:\Windows\system32\svchost.exe{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.250{3BF36828-9799-6185-1600-00000000CC01}12721324C:\Windows\system32\svchost.exe{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109966191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.250{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000109966190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.250{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000109966189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.250{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109966188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.250{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000109966187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.250{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109966186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.250{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109966185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.250{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109966184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.250{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000109966183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.250{3BF36828-2681-6193-F698-01000000CC01}50885632C:\Program Files\Mozilla Firefox\firefox.exe{3BF36828-2681-6193-F598-01000000CC01}6420C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+b5d6|C:\Program Files\Mozilla Firefox\firefox.exe+9999|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109966182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.250{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109966181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.250{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000109966180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.250{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.28.29913.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=4DC09CA657822C2E8160255F767597DF,SHA256=922124BA0821AA864A0261ED88BD25F8E40F94C24D00D389E23CD9AB2BFC6BA4,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x8000000000000000109966179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.234{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000109966178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.234{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000109966177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.234{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.28.29913.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=ADE7AAC069131F54E4294F722C17A412,SHA256=92D50F7C4055718812CD3D823AA2821D6718EB55D2AB2BAC55C2E47260C25A76,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x8000000000000000109966176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.234{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.28.29913.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=4B6BA0947F115AE9FD3016D26D57ABB8,SHA256=254DF96324D019A7C4213ABD4178944B8BF2873D0C3EDC1835D4C668F83D7C37,IMPHASH=4F1912F58F8D1AE7998EF5303198D62DtrueMicrosoft CorporationValid 734700x8000000000000000109966175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.234{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=D8CD8451D1E194230F18866AD6EFE5E7,SHA256=9977AA1287962035C24DF806DDA67F09FFE9BDF696DBA507D749C624AE1C178D,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x8000000000000000109966174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.234{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000109966173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.234{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FA,IMPHASH=5BAA515B293A764CA06512D078C4E624trueMicrosoft WindowsValid 734700x8000000000000000109966172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.234{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll94.0.1-FirefoxMozilla Foundationmozglue.dllMD5=35C894D9D2E10A18DE2A3C68124C5094,SHA256=CDB8CE7B7C73D362622FAD20622C5EEE20FD33F622A8B3DA9182574C8367CBCB,IMPHASH=83933F44E572C4BFE23EF51E82A89358trueMozilla CorporationValid 734700x8000000000000000109966171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.234{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109966170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.234{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000109966169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.234{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109966168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.234{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000109966167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.234{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000109966166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.234{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000109966165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.234{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000109966164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.234{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109966163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.234{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe94.0.1FirefoxFirefoxMozilla Corporationfirefox.exeMD5=FAEAF27CD3F8B9D750E1C0DA85F1527A,SHA256=B984CDD9D3298C6EBDB6D3F4D80FEA23FD20ACB4C0EDAF925365EFAA0C1AF289,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4trueMozilla CorporationValid 10341000x8000000000000000109966162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.234{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.234{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.234{3BF36828-97C9-6185-7D00-00000000CC01}49683244C:\Windows\system32\csrss.exe{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000109966159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.234{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.218{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.218{3BF36828-2681-6193-F598-01000000CC01}64202304C:\Program Files\Mozilla Firefox\firefox.exe{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+1845f|C:\Program Files\Mozilla Firefox\firefox.exe+cde5|C:\Program Files\Mozilla Firefox\firefox.exe+9999|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000109966156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.233{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exe94.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --MOZ_LOG sync,prependheader,timestamp,append,maxsize:1,Dump:5 --MOZ_LOG_FILE C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\backgroundupdate.moz_log --backgroundtask backgroundupdateC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\ATTACKRANGE\Administrator{3BF36828-97CB-6185-F909-080000000000}0x809f92MediumMD5=FAEAF27CD3F8B9D750E1C0DA85F1527A,SHA256=B984CDD9D3298C6EBDB6D3F4D80FEA23FD20ACB4C0EDAF925365EFAA0C1AF289,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{3BF36828-2681-6193-F598-01000000CC01}6420C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --MOZ_LOG sync,prependheader,timestamp,append,maxsize:1,Dump:5 --MOZ_LOG_FILE C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\backgroundupdate.moz_log --backgroundtask backgroundupdate 10341000x8000000000000000109966155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.218{3BF36828-2681-6193-F598-01000000CC01}64202304C:\Program Files\Mozilla Firefox\firefox.exe{3BF36828-9799-6185-1600-00000000CC01}1272C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+b5d6|C:\Program Files\Mozilla Firefox\firefox.exe+9999|C:\Program Files\Mozilla Firefox\firefox.exe+1bfd8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109966154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.218{3BF36828-2681-6193-F598-01000000CC01}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109966153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.218{3BF36828-2681-6193-F598-01000000CC01}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000109966152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.218{3BF36828-2681-6193-F598-01000000CC01}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000109966151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.218{3BF36828-2681-6193-F598-01000000CC01}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000109966150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.218{3BF36828-2681-6193-F598-01000000CC01}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000109966149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.218{3BF36828-2681-6193-F598-01000000CC01}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=D8CD8451D1E194230F18866AD6EFE5E7,SHA256=9977AA1287962035C24DF806DDA67F09FFE9BDF696DBA507D749C624AE1C178D,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x8000000000000000109966148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.218{3BF36828-2681-6193-F598-01000000CC01}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000109966147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.218{3BF36828-2681-6193-F598-01000000CC01}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000109966146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.218{3BF36828-2681-6193-F598-01000000CC01}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109966145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.218{3BF36828-2681-6193-F598-01000000CC01}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000109966144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.218{3BF36828-2681-6193-F598-01000000CC01}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FA,IMPHASH=5BAA515B293A764CA06512D078C4E624trueMicrosoft WindowsValid 734700x8000000000000000109966143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.218{3BF36828-2681-6193-F598-01000000CC01}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109966142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.218{3BF36828-2681-6193-F598-01000000CC01}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000109966141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.218{3BF36828-2681-6193-F598-01000000CC01}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll94.0.1-FirefoxMozilla Foundationmozglue.dllMD5=35C894D9D2E10A18DE2A3C68124C5094,SHA256=CDB8CE7B7C73D362622FAD20622C5EEE20FD33F622A8B3DA9182574C8367CBCB,IMPHASH=83933F44E572C4BFE23EF51E82A89358trueMozilla CorporationValid 734700x8000000000000000109966140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.218{3BF36828-2681-6193-F598-01000000CC01}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000109966139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.218{3BF36828-97C9-6185-7D00-00000000CC01}49683244C:\Windows\system32\csrss.exe{3BF36828-2681-6193-F598-01000000CC01}6420C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x8000000000000000109966138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.218{3BF36828-2681-6193-F598-01000000CC01}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000109966137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.218{3BF36828-2681-6193-F598-01000000CC01}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000109966136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.203{3BF36828-2681-6193-F598-01000000CC01}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109966135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.203{3BF36828-2681-6193-F598-01000000CC01}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe94.0.1FirefoxFirefoxMozilla Corporationfirefox.exeMD5=FAEAF27CD3F8B9D750E1C0DA85F1527A,SHA256=B984CDD9D3298C6EBDB6D3F4D80FEA23FD20ACB4C0EDAF925365EFAA0C1AF289,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4trueMozilla CorporationValid 10341000x8000000000000000109966134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.203{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.203{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.203{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.203{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.203{3BF36828-9797-6185-0500-00000000CC01}420536C:\Windows\system32\csrss.exe{3BF36828-2681-6193-F598-01000000CC01}6420C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000109966129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.203{3BF36828-9799-6185-1600-00000000CC01}12721960C:\Windows\system32\svchost.exe{3BF36828-2681-6193-F598-01000000CC01}6420C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\UBPM.dll+acf0|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:21.187{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-9799-6185-1600-00000000CC01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000109966127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:33.327{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58694-false10.0.1.12-8000- 23542300x800000000000000056917045Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:22.919{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=118F2A68E24733A1D486B08FCFA015E8,SHA256=D47333DB35F4AA91945F0553AEC9CE47D832912B003E6A47702D392D598A5C1D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109966353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:35.966{3BF36828-97A9-6185-3200-00000000CC01}2360C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local54109- 354300x8000000000000000109966352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:35.965{3BF36828-97A9-6185-3200-00000000CC01}2360C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62564- 354300x8000000000000000109966351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:35.961{3BF36828-97A9-6185-3200-00000000CC01}2360C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61776- 354300x8000000000000000109966350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:35.952{3BF36828-97A9-6185-3200-00000000CC01}2360C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-62497- 354300x8000000000000000109966349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:35.952{3BF36828-9799-6185-1400-00000000CC01}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:8ddb:ffff:98d0:e3de:48e:ffff-62497-true7f00:1:0:0:0:0:0:0-53domain 354300x8000000000000000109966348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:35.932{3BF36828-97A9-6185-3200-00000000CC01}2360C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local54386- 354300x8000000000000000109966347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:35.932{3BF36828-97A9-6185-3200-00000000CC01}2360C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local64188- 354300x8000000000000000109966346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:35.928{3BF36828-97A9-6185-3200-00000000CC01}2360C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53405- 354300x8000000000000000109966345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:35.926{3BF36828-97A9-6185-3200-00000000CC01}2360C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62497- 734700x8000000000000000109966344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:22.547{3BF36828-2681-6193-F598-01000000CC01}6420C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 23542300x8000000000000000109966343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:22.531{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Local\Temp\MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate-90\Telemetry.ShutdownTime.txtMD5=F04B5F5116702DD78F84BC0691B54352,SHA256=A7022F0D180485ABD34C3F24D8E49CC248054679E3554EBE524BAFA6C34A8AFE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:22.531{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Local\Temp\MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate-90\SiteSecurityServiceState.txtMD5=3DFD8BE63044A3D749A030A3792DB078,SHA256=32DB8D84088FD7ABB914525C65E1986BE34CF11C61CC0EA39A242CABFCF1A3A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:22.531{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Local\Temp\MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate-90\ShutdownDuration.jsonMD5=A37D36E5F0D02C55FD87B8361141BE44,SHA256=2F4FBA7D7C998C85E7986B3E43CB69C10615D680209F18E10F544FEBAA350892,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:22.531{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Local\Temp\MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate-90\prefs.jsMD5=91E78FC3AC853F57D89145141379346F,SHA256=7CC708D6CB588479D5C1B13D458AF76CF82431994F882BEB3C7E23AAB0720778,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:22.531{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Local\Temp\MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate-90\pkcs11.txtMD5=2853C14FF2C2CD7C347F5864AB858DB1,SHA256=6411A48274A76CF39264D65C055A90CA6CEC82AD25C172154A9A4C53230D1092,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:22.531{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Local\Temp\MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate-90\cookies.sqliteMD5=886A5F9308577FDF19279AA582D0024D,SHA256=BA7EB45B7E9B6990BC63BE63836B74FA2CCB64DCD0C199056B6AE37B1AE735F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:22.531{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Local\Temp\MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate-90\compatibility.iniMD5=A46B3FF9863A2D065AD5499ED3F4CB1E,SHA256=E85B8B9043B6BBA5A1A835FD54F68C6B83287308CF5427CCA79E67F87ADBCB3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:22.500{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=4C250B4403CC07BC48D857972C3287B1,SHA256=EDF7E1FD2F5D7909D22FFC8BA472593AA46ACB90BA5DE3508CD62193B5F97B8B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:22.500{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Temp\MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate-90\ShutdownDuration.jsonMD5=EC14C8AC54E436CF5DFA376C38F79C41,SHA256=BBC2125E738DB66B7006C07EB642C5B0DB3FF4B7BC446455341D12A51F315C6A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:22.500{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\db\data.safe.binMD5=20DB7F429FAD7D020574098EBE90BE42,SHA256=F912FCF995A5DB645B044E060F489385FBDF1C904805FB3ACF4C2ADB070AFB6B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:22.500{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Temp\MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate-90\ShutdownDuration.jsonMD5=6540E2B9D2155FB83CA93A01AD7425E1,SHA256=60AE1AE50E1D71264490D6EFF06215CA48458015BA33B4349567321B6F9C07B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:22.500{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Temp\MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate-90\ShutdownDuration.jsonMD5=AF12D4F3E528664DB674E5850E70EDC9,SHA256=61629659D1284AC0A3547B4C15C1350FB41A209AB101B4BE312AAB6435D0B071,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x8000000000000000109966331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:22.500{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Temp\MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate-90\SiteSecurityServiceState.txt2021-11-16 03:33:22.500 23542300x8000000000000000109966330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:22.500{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Temp\MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate-90\ShutdownDuration.jsonMD5=D4A35F2AC86ADCF4328BC51DD0027E9A,SHA256=CD807C8F14D52E03C126C1FEDA6790A52ABFD58CECD490FE7480BB52B4FEA71B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:22.422{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62FFB7557569874595BD099CA436126E,SHA256=A75F567BED610834E7BF5281AED1155DD97E8FA7F3655B8C4EDB54463BF66209,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109966328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:35.541{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcpfalsefalse127.0.0.1-58696-false127.0.0.1-58695- 354300x8000000000000000109966327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:35.541{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse127.0.0.1-58696-false127.0.0.1-58695- 23542300x8000000000000000109966326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:22.234{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B61594E720E95FBEB92051E68016E076,SHA256=BE8D6C52AFCC64C69A7D0A9AC3F2BAAB6135F3A8AAD581906BF11F34E4B93FF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:22.093{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\pending_pings\37cc1b77-430e-4b90-932d-0ad5b61e4b3aMD5=4C3B0BB19C78676B241C7AD18B74BF3A,SHA256=74C6BEDAD9F0768130968AC18569B0D7D0B41374DE37679FB5C5905B457D3586,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:22.015{3BF36828-2681-6193-F698-01000000CC01}5088ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla\updates\308046B0AF4A39CB\backgroundupdate\datareporting\glean\pending_pings\2d45cb03-9d32-487b-a3ce-079681377402MD5=0145AE9685B85E0900A904A25128C30C,SHA256=58AFF3F0C1B35E5F4342174AD9BB1EB29B19CBDF38F0F6A61088C080022BA948,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917047Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:23.919{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC73B0981DB9FA22553C55F79578DEEA,SHA256=CB893B8A3990C99E75A30C7922D7ECBF74CE59DF2DF548F8B419D51506F69629,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 22542200x8000000000000000109966366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:36.024{3BF36828-2681-6193-F698-01000000CC01}5088prod.ingestion-edge.prod.dataops.mozgcp.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000109966365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:36.023{3BF36828-2681-6193-F698-01000000CC01}5088prod.ingestion-edge.prod.dataops.mozgcp.net035.227.207.240;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000109966364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:35.980{3BF36828-2681-6193-F698-01000000CC01}5088cs9.wac.phicdn.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000109966363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:35.977{3BF36828-2681-6193-F698-01000000CC01}5088cs9.wac.phicdn.net072.21.91.29;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000109966362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:35.945{3BF36828-2681-6193-F698-01000000CC01}5088prod.balrog.prod.cloudops.mozgcp.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000109966361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:35.944{3BF36828-2681-6193-F698-01000000CC01}5088prod.balrog.prod.cloudops.mozgcp.net035.244.181.201;C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000109966360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:36.016{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-128.attackrange.local58699-false35.227.207.240240.207.227.35.bc.googleusercontent.com443https 354300x8000000000000000109966359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:35.989{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-128.attackrange.local58698-false72.21.91.29-80http 354300x8000000000000000109966358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:35.938{3BF36828-2681-6193-F698-01000000CC01}5088C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-128.attackrange.local58697-false35.244.181.201201.181.244.35.bc.googleusercontent.com443https 23542300x8000000000000000109966357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:23.562{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34FA72A2F46354874AF066D3146A766B,SHA256=DD882E001A708D1D3D0E53EA035B77564702F215DD677C743C20B82E80918482,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:23.562{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60383DD39924B1D6FB094744D036E5A0,SHA256=2CDBF00AF82745D00166503D28548A23931C089A04FC3E8E3A581D3FEA68EF5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056917046Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:12.886{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local49996-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000109966355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:36.011{3BF36828-97A9-6185-3200-00000000CC01}2360C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local50451- 354300x8000000000000000109966354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:36.009{3BF36828-9799-6185-1400-00000000CC01}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-62497-false127.0.0.1-53domain 23542300x800000000000000056917048Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:24.935{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=628F5A8CB1A9BB04E23464A3F6F461D6,SHA256=0CE7A2DF20B451C2D38B1C9C235FC9B071FEEB8008BB73D03753BDD339914DE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:24.562{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF5A68A25F75CE4278B087F6EB4999AB,SHA256=8824E06CCE8367FE7526264C152E1EE79A4D1E604707880B49476D155658308A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917049Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:25.950{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98712DD88C1AA4466B7456F105A8DD0D,SHA256=7CC32D2231DB65243E2C36BDBBA8B8CB51D05DE0F68B7A4AFB321B06E555C859,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:25.578{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E426592CE915451058C153A50296F85,SHA256=816B1FD7B571A8EF520688B099C258679E7F5C1857B3DE1EAE2FAADE1CD76539,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917050Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:26.966{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A3CEF2DBC764FF2E8305FB3ED6416F4,SHA256=0649744AD5B0BE542DC6DEBB4363D437429AF0D7F6685A5F67F43E2295EF670C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:26.625{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F66E54923EC74999A19354DB86F66B3A,SHA256=5D54FA87AFCAE57EFC30E37BBFAB2DC28338531E68AC9A4BA20368D2EA092152,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:26.031{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6DBA98CC6E768594F9B9DCE50020E12,SHA256=FA5665D083C2CD97BC251525394764CC513ACDA01E80CE042E64A76711216EC6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:27.656{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6859248D7D00BB5589330971D5ABA01,SHA256=6A516A48F8461B3ECCB027E0931E78DB2B8208EE080B233B14BE442653C64372,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056917051Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:17.902{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local49997-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000109966371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:39.249{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58700-false10.0.1.12-8000- 23542300x8000000000000000109966373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:28.729{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69542DAF34DBF3C8BC4F535F1194B968,SHA256=B8A70EDCD38CA75101241593B9A411033663055619620BCD9817B9C75211B998,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917053Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:28.216{B81B27B7-2345-6193-2800-00000000CB01}2264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917052Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:27.997{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50D3AB24F5FBD0A94BE5FA5F84AB724B,SHA256=69B08C32F833743A2DDC5019CF9F9B6FAAB05AA1F856885709DAA06DBD197463,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:29.776{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA5473A95C0D51C2F50FF9A718DBC86A,SHA256=E0DD1DBBB6EFE7DF0D281F2C8B4E150273F3D037EF9E3F3850D77EF2104B4621,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056917055Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:20.011{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local49998-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000056917054Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:29.025{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4452C5128BC75DC4BF41D17D1EFF5A1,SHA256=1251339131137CF37F8FD7D7F6069AC6559ECE93680B85A5D567AABF1C7DC9E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:29.541{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E11649FB66C25467F4A9CDB8140B2418,SHA256=D46BF27D0A5E7F7E2377DB048EC6C8DD0D46F20BCD9B1EE0DBE4621593525B1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:30.807{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=327051689A6D53B08A91ACB91E58391E,SHA256=1848F0719C76DB771A18BA76D5E9DB9E477105704EC8987D9FE5384F50EFD5B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917056Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:30.041{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E8EB28F627DC1AFA49F417F64DE07CD,SHA256=D27157973950C9AE6831AD7BABB609FF1A345FBAF2D07CBD51B4FD501AC21CA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:31.854{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D2D58A56A1172E8CDBF17B670C4CCA8,SHA256=00D8B250D1C583B944872D35922A2D679A38CC061FDD3D9C9BE0E1E8798CC301,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917057Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:31.056{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=680107F850E83D7E21548459584D10C9,SHA256=88091DF217040F2BB938BB2FCBCA7F2DF271A7D7922F184E4720AA6FE4E4D57B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:31.276{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C47FBCAA4E0023C94B10F2CBDC62CE4,SHA256=AE0F9BDCC40FB4A14263061227E1818442A04364DFFA929FD71392FD99DB855D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:32.901{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA11557D9BDDA34940910809AFD0CF4D,SHA256=74FB3D6892D434BC21AF10853C5069072570560E58A0310F0547735CF0C0F982,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056917059Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:22.961{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local49999-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000056917058Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:32.088{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C11C9D01125037C85135EDE1A508166,SHA256=C2678E42FED8EFEF5CF1533DB5D061E3584A2F8425C97D1A23B04182D6FBA56E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109966379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:44.463{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58701-false10.0.1.12-8000- 23542300x8000000000000000109966381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:33.901{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D081C1C44381F86FF714C1967A1AC3B5,SHA256=0FF3CE8A634ED68E14D08C5D9A9076AC262EF54E37B4F7681698B5DA65276EF2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917060Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:33.135{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=703A15A23D34636F4CBD479CA1B722DB,SHA256=98088F7653932AFB13D038A8C1BF55F383F47553F92C41D4C135FDDDC39C999C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:34.916{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95449F7CD28B510150C7ADE1B7E15440,SHA256=915EB839029FEB6554CDC6539E0AF5E0ACAEFD86179D38D6E4B205C36D175DF0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917061Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:34.150{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B962C351D39ED48C8469881DF486A60,SHA256=0D9B4A056CD5015C8794F97B43FAF86C0E43FDEC19FF9732EE8A344D075755D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:35.994{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=505421E36ED5D4E4004452E5AB100084,SHA256=A306F1CBE2390CBE0AB868FC92171001F7D54871DBD7B9755138AA0677D5DE5D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917062Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:35.181{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DC98A921021CA0CFA923594E558D1B6,SHA256=9EDF8D39739E9FDF171F5FE524B40D6A8B7FBFF597B6C71392F9134616EBCB6A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917063Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:36.197{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAA067333C70F8AF8E2BDC86CC8806BC,SHA256=7AE8196396B9A36545EF453E77583D2DA5AA4F4249FDBB92EF0553992FD860CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917064Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:37.244{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32F38B3D944A55B202CECFF2A255FA85,SHA256=D15AAF4D2345149574A1FA55FBC2344FA6994881B3D336964CF472074C1AEDB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:37.213{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73D30BE56E21702503228F41A15E90EC,SHA256=38BD8036DDF29FAF8FC5AA4BFF368CB634FFF4421452F6A8A7C61C57E2FBF121,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:37.213{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B18DB29C6A71525F4D40F0015C5EE526,SHA256=905526A6BE73A9256D1F36F8889980FEF0A896332DCE7A548D8EBA6BC8BFDE17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:37.151{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAEF1FF8E55119C16CA68A354AAEF1AF,SHA256=2117BABCB8E4F975770CCE946C37DED3A0F51E8305CABA0764B90B287E5A95E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056917066Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:28.929{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50000-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000056917065Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:38.260{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59FE1355DBD90AECDD7CB98D43A6B110,SHA256=8C1DC7286382CCE8511CE14A39EB8F8A694CB40F21A2BCA60E0F6B4D8CE21D32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000109966389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-16 03:33:38.432{3BF36828-9799-6185-1000-00000000CC01}444C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7da9a-0xbe5d50ef) 354300x8000000000000000109966388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.432{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58702-false10.0.1.12-8000- 23542300x8000000000000000109966387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:38.213{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9828B6DDF192A09C66DE1A39B3B073AE,SHA256=E3C60C06413F6648A53A032BFDF417DBF5E84B786DAF883933165374BDF26DA2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917067Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:39.275{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0A725D2B4F284344852195759711521,SHA256=5A4DAD3E284D3D6C309049C22AE55C7699CE0B2E34ADBCAFA97D833DA8E789D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:39.229{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE6597A50FF69DDAD509E5B661528B98,SHA256=DF82A35E308C680C01C5C8DB5EA3E8291CEBD42046DB19D7F1D912F312A6F79F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917068Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:40.291{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A9671117A99AAF3DF628918981E5F5D,SHA256=123981ED22AA091B9EE1BE351292969843D843DE6B241A6EC8D574E13D35C020,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:40.463{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8392DC51E487CEAD2455DBA1E12BE766,SHA256=D652FE95152564BE40C5E6497EDA3DD74500AD4DF64578475384CA382E64BAF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:41.494{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16AA58CDB37B382B0282A01C923BE2BE,SHA256=F73642C4F6B6EDE74962F0433EA6CA4361B425808648C554A3CA78BAB92CF3C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917070Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:41.291{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=481397C33F20082672BDC94360736CA3,SHA256=DDD5BCE063E3263AF6EEE47B0C312B8C91C8B230484CA12FD972A53758AC0324,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917069Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:41.010{B81B27B7-2344-6193-1400-00000000CB01}716NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8C55DE3E104A8318B4E59B9967226D7C,SHA256=BCA3A8F7B1933D9DD5EF1E708C3E5F330F5996AD4228DB71EF93D2E0B7B4B506,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:42.494{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53110AAE01C92F73D7AB0E2DB73689B7,SHA256=07F2B9B345BF32B62EB76FECE843B00F9AA55EAC2659D1183FB4445A2C5B397F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917071Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:42.307{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AA0B7B6D583DED97C5BDE2C75EF7685,SHA256=90A9147E722127A25106463CBABAB2F2E4AEAE8CDFE7B7681B9EE4927BD597F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:42.338{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2A0568008DC95638783A924313B1A0C,SHA256=EE1F3C7E4AE6DA89B2D1889D853012820097068FA623FC4F4327269D8EC71AC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:42.338{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73D30BE56E21702503228F41A15E90EC,SHA256=38BD8036DDF29FAF8FC5AA4BFF368CB634FFF4421452F6A8A7C61C57E2FBF121,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:43.838{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2A0568008DC95638783A924313B1A0C,SHA256=EE1F3C7E4AE6DA89B2D1889D853012820097068FA623FC4F4327269D8EC71AC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:43.588{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51F5169B445639F5B673A7B60CFC79DD,SHA256=3E9369D9CFAE9898724CBC544B6A80B6AD1CF04907E2F384188A752FD3E02177,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917072Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:43.338{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9DB3A497CFCA13397368CC9C4F81F97,SHA256=C573EE4B510132037AAB010CBE2A11E88D1D355A5B4777FAD792D9BFCC26580D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109966396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:55.432{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58703-false10.0.1.12-8000- 23542300x8000000000000000109966399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:44.697{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=894C67844AB9D4D5D054D7976E09DA9F,SHA256=8FD41A11F8608518AEC2F40C0CED3270D85ACF71D3A8C16B5B937776002120B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917075Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:44.791{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=96574BA5E8AF067F5D147FEAFC98C2B3,SHA256=4F0457708275B62A8C6FF0C91DDB09AFC8913FAFC39BB88138A6FB0E7E31FD0D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917074Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:44.791{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=FAFCFBB8FB357A32684BCD863DA6B140,SHA256=EB9FB7482D3737ED4E39EBCCC64E62D68401391A030FD93C196B1B6C850C9A18,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917073Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:44.369{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8B9B746CB7DAF0212DFBA4C869FDA72,SHA256=67DE62430E1D919A11CFC7B80D31DE156FEEC66C6FCBE741518979BBB23DBDE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:45.744{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEFBCBAEF2361CF79570DAE1D54A9921,SHA256=F88700AE06DD948A4DB98B2B0CD8BD51417B82B35E05BBECF05B0E63FEE6B720,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917077Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:45.385{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4219BC5E1710395DD189F8CC4C4B291,SHA256=6108444B907547E07D9BBD26EC52F63A4C5C914B845D750291BD86816CE74974,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056917076Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:34.945{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50001-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x8000000000000000109966457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.885{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000109966456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.885{3BF36828-269A-6193-F798-01000000CC01}12286224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109966455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.885{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000109966454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.885{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000109966453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.869{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC63499AD1A16D1230B26D21CB2E490F,SHA256=41AE39E53290794126CDFA9FE726F05E2B764C2575546FCA4711FB47F348FB01,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000109966452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.854{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.854{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.854{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.854{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.854{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056917078Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:46.401{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82D73CD5EA708B8047EBFA2CE16825E1,SHA256=CD83CA29AC83378C1BF0E862BE0F9D323D2AA56F8ACC4DDCB683EA7959CD37F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109966447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.760{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000109966446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.760{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000109966445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.760{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000109966444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.760{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000109966443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.760{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000109966442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.760{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000109966441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.760{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000109966440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.744{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000109966439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.744{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000109966438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.744{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109966437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.744{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000109966436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.744{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109966435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.744{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109966434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.744{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000109966433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.744{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000109966432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.744{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109966431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.744{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109966430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.744{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000109966429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.744{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000109966428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.744{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109966427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.744{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000109966426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.744{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000109966425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.744{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000109966424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.744{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000109966423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.744{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000109966422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.744{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000109966421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.744{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000109966420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.744{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000109966419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.744{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109966418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.744{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109966417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.744{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000109966416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.744{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000109966415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.744{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000109966414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.744{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000109966413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.744{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000109966412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.744{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109966411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.744{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000109966410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.744{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000109966409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.744{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109966408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.744{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000109966407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.744{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.744{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.744{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.744{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.744{3BF36828-9797-6185-0500-00000000CC01}420412C:\Windows\system32\csrss.exe{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000109966402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.744{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000109966401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:46.729{3BF36828-269A-6193-F798-01000000CC01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056917079Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:47.416{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=525748F5BB4EE1D62584716DA1C609F0,SHA256=E4E8FAF6574FF0D2AAD36CBB78AA3B4F72FB317DC2CF3C30636E12905AF3F236,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109966508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.572{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000109966507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.572{3BF36828-269B-6193-F898-01000000CC01}66163180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109966506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.572{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000109966505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.572{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000109966504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.447{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000109966503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.447{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000109966502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.447{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000109966501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.447{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000109966500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.432{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000109966499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.432{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000109966498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.432{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000109966497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.432{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000109966496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.432{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000109966495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.432{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109966494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.432{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000109966493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.432{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109966492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.432{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109966491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.432{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000109966490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.432{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109966489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.432{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109966488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.432{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109966487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.432{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000109966486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.432{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000109966485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.432{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000109966484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.432{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000109966483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.432{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000109966482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.432{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000109966481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.432{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000109966480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.432{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000109966479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.432{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000109966478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.432{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000109966477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.432{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000109966476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.432{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109966475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.432{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109966474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.432{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000109966473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.432{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000109966472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.432{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000109966471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.432{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000109966470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.432{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000109966469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.432{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109966468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.432{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000109966467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.432{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000109966466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.432{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109966465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.432{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000109966464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.432{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.432{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.432{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.432{3BF36828-9797-6185-0500-00000000CC01}420436C:\Windows\system32\csrss.exe{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000109966460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.432{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.432{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000109966458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:47.417{3BF36828-269B-6193-F898-01000000CC01}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056917080Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:48.479{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC8D0054BDF2D7F2FA89DE5763180218,SHA256=1B74443F4B96EECA8A88ADEFF3771F0A2C02CE2012781E3597F89684B43B3239,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109966619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.859{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000109966618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.859{3BF36828-269C-6193-FA98-01000000CC01}54723460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.859{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.859{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.859{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.859{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.859{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109966612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.859{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000109966611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.843{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000109966610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.734{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000109966609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.734{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000109966608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.734{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000109966607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.734{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000109966606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.734{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000109966605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.734{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000109966604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.734{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000109966603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.734{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000109966602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.721{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000109966601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.721{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109966600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.721{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000109966599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.721{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109966598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.721{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000109966597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.721{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109966596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.721{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109966595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.721{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109966594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.721{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000109966593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.721{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000109966592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.721{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000109966591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.721{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109966590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.721{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000109966589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.721{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000109966588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.721{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000109966587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.721{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000109966586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.721{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000109966585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.721{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000109966584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.721{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000109966583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.721{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000109966582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.721{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109966581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.721{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109966580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.721{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000109966579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.721{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000109966578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.721{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000109966577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.721{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000109966576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.721{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000109966575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.721{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000109966574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.721{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109966573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.721{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000109966572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.721{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000109966571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.721{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109966570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.721{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x8000000000000000109966569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.721{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.721{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.721{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.721{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.721{3BF36828-9797-6185-0500-00000000CC01}420412C:\Windows\system32\csrss.exe{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000109966564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.721{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000109966563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.703{3BF36828-269C-6193-FA98-01000000CC01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000109966562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.229{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000109966561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.229{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000109966560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.229{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000109966559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.041{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000109966558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.041{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000109966557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.041{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000109966556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.041{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000109966555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.041{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000109966554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.041{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000109966553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.041{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000109966552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.041{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000109966551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.026{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000109966550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.026{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109966549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.026{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000109966548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.026{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109966547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.026{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109966546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.026{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000109966545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.026{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000109966544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.026{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109966543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.026{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000109966542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.026{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109966541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.026{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000109966540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.026{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109966539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.026{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000109966538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.026{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000109966537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.026{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000109966536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.026{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000109966535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.026{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000109966534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.026{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000109966533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.026{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000109966532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.026{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000109966531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.026{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000109966530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.026{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109966529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.026{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109966528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.026{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000109966527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.026{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000109966526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.026{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000109966525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.026{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000109966524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.026{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000109966523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.026{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109966522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.026{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000109966521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.026{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000109966520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.026{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109966519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.026{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x8000000000000000109966518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.026{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.026{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.026{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.026{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.026{3BF36828-9797-6185-0500-00000000CC01}420536C:\Windows\system32\csrss.exe{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000109966513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.026{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000109966512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.014{3BF36828-269C-6193-F998-01000000CC01}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000109966511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.010{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=806FE35C743CA928EBBEB434DA76F95E,SHA256=601A12571ADB09671CA6D8855F61EA349BBF4E30E21E908427C056EC93F7952E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.010{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A29D72FD25EDD4FC43A8CF57247FE982,SHA256=0E1B76DD9C6792CA83353C82457FF88ACACCD76BEB3807E0580D774303D0FD97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:48.010{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF9BF74D4D7F49AA18A6EE009A19BCD5,SHA256=1D3DB14D3128E708F53425355C55C07F42DC3B81D0039A49E18CBF1D8C484804,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056917082Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:39.960{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50002-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000056917081Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:49.499{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=193CFC13CEAE8A0D47780F152BC71F54,SHA256=941BFD4E38769FEC0DCA1719AD200C04E5A5EB43C34436B7146C140C6A9A8B79,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109966678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:01.416{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58704-false10.0.1.12-8000- 734700x8000000000000000109966677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.577{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000109966676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.577{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000109966675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.577{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000109966674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.437{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000109966673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.437{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000109966672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.437{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000109966671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.437{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000109966670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.437{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000109966669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.437{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000109966668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.437{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000109966667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.437{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000109966666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.437{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000109966665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.437{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000109966664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.437{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109966663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.437{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000109966662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.437{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109966661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.437{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109966660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.437{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000109966659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.437{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000109966658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.437{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000109966657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.437{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000109966656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.437{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109966655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.437{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000109966654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.437{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000109966653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.421{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109966652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.421{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000109966651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.421{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000109966650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.421{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000109966649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.421{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109966648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.421{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109966647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.421{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000109966646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.421{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000109966645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.421{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000109966644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.421{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000109966643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.421{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000109966642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.421{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000109966641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.421{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000109966640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.421{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000109966639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.421{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000109966638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.421{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000109966637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.421{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000109966636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.421{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109966635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.421{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000109966634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.421{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109966633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.421{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000109966632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.421{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000109966631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.421{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109966630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.421{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x8000000000000000109966629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.421{3BF36828-9797-6185-0500-00000000CC01}420412C:\Windows\system32\csrss.exe{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000109966628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.421{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.421{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.421{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.421{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.421{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000109966623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.391{3BF36828-269D-6193-FB98-01000000CC01}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000109966622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.202{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A99D3A809F66A972A64A4416DBAA3F0,SHA256=D3A02EEE209AC512EB99386B57403E123C8A6CEAB0C12A08DD79BFF3BA6232FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.171{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60FE085465099CAC2E425E7D603C0429,SHA256=4A11FCC4615D939AF3782A3A199BEBBEFF3F9DD7989D72157013C590408A95A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:49.171{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F297DFD08AF5321EF3ED3551DDFBCA83,SHA256=E9D6A82595F44DD544B294A037F1678FB74DF99BF4ED54D52435AF809E3115E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917083Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:50.515{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=790A05DF535F6A12C54123E35848E979,SHA256=B62E4BAA730D99DB6E2815027F3CD27156AB8A49BF019BD10572901A64514457,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109966790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:03.375{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local58705-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000109966789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:03.375{3BF36828-97A9-6185-2800-00000000CC01}2876C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local58705-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 734700x8000000000000000109966788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.937{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000109966787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.937{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000109966786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.937{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000109966785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.874{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.874{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.874{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.874{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.874{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109966780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.812{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000109966779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.812{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000109966778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.812{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000109966777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.812{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000109966776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.796{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000109966775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.796{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000109966774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.796{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000109966773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.796{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000109966772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.796{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000109966771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.796{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000109966770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.796{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000109966769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.796{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109966768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.796{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000109966767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.796{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000109966766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.796{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x8000000000000000109966765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.796{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000109966764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.796{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000109966763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.796{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109966762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.796{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000109966761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.796{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000109966760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.796{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000109966759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.796{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109966758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.796{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109966757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.796{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000109966756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.796{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000109966755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.796{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000109966754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.796{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000109966753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.796{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000109966752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.796{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000109966751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.796{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109966750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.796{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000109966749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.796{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000109966748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.796{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109966747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.796{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109966746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.796{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109966745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.796{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000109966744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.796{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109966743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.796{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000109966742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.796{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000109966741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.796{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109966740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.796{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x8000000000000000109966739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.796{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.796{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.796{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.796{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.796{3BF36828-9797-6185-0500-00000000CC01}420436C:\Windows\system32\csrss.exe{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000109966734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.796{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000109966733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.781{3BF36828-269E-6193-FD98-01000000CC01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000109966732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.421{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DE23FF36C2476514903F288C59CAC12,SHA256=B7D9717DC4E2132B98662E5EFE43B6CD86CD7EBE1D3CBFCFA6953EF2CE447A20,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.390{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55C52EA46A655CF341604941C6B7276A,SHA256=4C2BB40843D32E03D898E8056AEC186BA1452CB42EC426691A404382E8F79926,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.390{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5B72E124D02D595E72C6059E54825C4,SHA256=2B8FA7BD03343D81B9A42AB4EBBA92C690F3472175A33D26E177686AC8B5115B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000109966729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.249{3BF36828-269E-6193-FC98-01000000CC01}47325384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109966728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.249{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000109966727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.249{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000109966726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.124{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000109966725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.124{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000109966724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.124{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000109966723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.124{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000109966722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.124{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000109966721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.124{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000109966720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.124{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000109966719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.124{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000109966718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.124{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000109966717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.109{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000109966716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.109{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000109966715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.109{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000109966714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.109{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000109966713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.109{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000109966712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.109{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000109966711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.109{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000109966710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.109{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000109966709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.109{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000109966708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.109{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000109966707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.109{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000109966706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.109{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000109966705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.109{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000109966704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.109{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000109966703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.109{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000109966702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.109{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109966701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.109{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000109966700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.109{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109966699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.109{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109966698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.109{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000109966697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.109{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109966696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.109{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109966695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.109{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000109966694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.109{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109966693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.109{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109966692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.109{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109966691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.109{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000109966690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.109{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109966689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.109{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000109966688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.109{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000109966687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.109{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109966686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.109{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x8000000000000000109966685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.109{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.109{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.109{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.109{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.109{3BF36828-9797-6185-0500-00000000CC01}420412C:\Windows\system32\csrss.exe{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000109966680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.109{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000109966679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:50.094{3BF36828-269E-6193-FC98-01000000CC01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056917084Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:51.546{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BCAA54BCEF871A3E17744AA73D6BD4C,SHA256=43FD39A3E79001C598B0A54FFCF31936BF9E55EAC944FB57C8B3DFB616BF833B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:51.952{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9490966FD151C5C1EC465AA1B8A7D248,SHA256=DFF2D7104D43C15A84C72CB4F5A444D87E35272980992997CAF1392898A720A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:51.296{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECF7A7F03EEEC5610A7CAC5E4F91B0F0,SHA256=A93AF2680D7BA66B045E4A5E479D7BEE45A6B63F978754146FA0932BD1EAF09A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:51.077{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=775904B53D266ABFB29E59AE2688B640,SHA256=97B7F786744DA63A2B2EA13DFBA913D22DB158B0480520EA2A390E2225053DEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917085Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:52.562{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05D2E5382A88085EE54C8E07D61069B7,SHA256=24914D05334960543E3E56313C21D633C19F708058FD7A60FA647EB2D5A57841,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:52.515{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BD3DE31972501D3EBC54EAA49894327,SHA256=0974AD0CCFC0AF4A2EEC7613A09A0182E1C7B6D472C10835F9EA99F9943D38FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917086Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:53.593{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA2DE4EFEA82B32F9A75436E120CF4BF,SHA256=B809FE0EF9B331FBCED43D663F9580D26320BFD10B9F5E355EF644B67A4E0FFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:53.562{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=654C50A22B1ED60CA6502E177778340B,SHA256=7FBCDDBB15BAF03F5BFA46AF80AADFFE86F3164C186CD848F7E61C96A5D8540A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:54.577{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49968A2CA7192AF8FCFDD0B4E8CF6AC9,SHA256=DC8C736A1E041EAF2A88454788A4976FEB45AB345320F69289B29A12BEF59006,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917095Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:54.593{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=050BFAAD06C0B40E40D7B21A7CE94E67,SHA256=1739CB866BE967AC8784AFA397B6816BC4FA6B28CC3376C3F57FF70D1F7E0800,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056917094Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:54.078{B81B27B7-2346-6193-3000-00000000CB01}32043224C:\Windows\system32\conhost.exe{B81B27B7-26A2-6193-2C01-00000000CB01}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917093Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:54.078{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917092Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:54.078{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917091Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:54.078{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917090Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:54.078{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917089Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:54.078{B81B27B7-2343-6193-0500-00000000CB01}416432C:\Windows\system32\csrss.exe{B81B27B7-26A2-6193-2C01-00000000CB01}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056917088Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:54.078{B81B27B7-2345-6193-2800-00000000CB01}22644024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-26A2-6193-2C01-00000000CB01}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056917087Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:54.079{B81B27B7-26A2-6193-2C01-00000000CB01}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-2343-6193-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000109966796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:54.343{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F702F3D42F7CB09C99D8929F95FD4E74,SHA256=BD7874DFF3E77713691B89EF3CB41DF46989CD93BEA7CB976BD0E2C9E0136696,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109966802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:07.327{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58706-false10.0.1.12-8000- 10341000x8000000000000000109966801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:55.796{3BF36828-9799-6185-1600-00000000CC01}12722500C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2E00-00000000CC01}2972C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:55.796{3BF36828-9799-6185-1600-00000000CC01}12722500C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2E00-00000000CC01}2972C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000109966799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:55.718{3BF36828-9799-6185-1100-00000000CC01}424NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=65CCBC857ED8594886B7A7E9C36B8994,SHA256=C0F5C5D59752160F7C41D5ED8FC0DA32782CC4F7EB561685358B8E6066B06B55,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:55.577{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5BACB70259C428DE61448CD7DFEBF9E,SHA256=83E7A79132B6A9632CFB61EA76927EDE9719F35F29F67E165607E9B2193BD073,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056917116Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:55.687{B81B27B7-2346-6193-3000-00000000CB01}32043224C:\Windows\system32\conhost.exe{B81B27B7-26A3-6193-2E01-00000000CB01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917115Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:55.687{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917114Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:55.687{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917113Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:55.687{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917112Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:55.687{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917111Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:55.687{B81B27B7-2343-6193-0500-00000000CB01}416780C:\Windows\system32\csrss.exe{B81B27B7-26A3-6193-2E01-00000000CB01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056917110Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:55.687{B81B27B7-2345-6193-2800-00000000CB01}22644024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-26A3-6193-2E01-00000000CB01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056917109Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:55.689{B81B27B7-26A3-6193-2E01-00000000CB01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-2343-6193-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056917108Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:55.609{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E367B862D1A3CF91A28E681EC54D8945,SHA256=C2C7F19365E0683C80BE29EE75C6EACD94663E341F60E6D02B3B5FD063520D12,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056917107Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:55.281{B81B27B7-26A3-6193-2D01-00000000CB01}10885312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056917106Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:55.156{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26EFA99E739BF97CBE867ED418A5F974,SHA256=55F42A863EAE747E66422C660619D274CD53B9049F8659FA6E41A6FBAC469A8E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917105Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:55.156{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64F02A48C28DF9EECB2BF68F38C6F026,SHA256=2A9AEBED2BA91044AE0C8DA10F860121D9408526044343C49432268275302CF6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056917104Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:55.125{B81B27B7-2346-6193-3000-00000000CB01}32043224C:\Windows\system32\conhost.exe{B81B27B7-26A3-6193-2D01-00000000CB01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917103Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:55.125{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917102Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:55.125{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917101Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:55.125{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917100Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:55.125{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917099Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:55.125{B81B27B7-2343-6193-0500-00000000CB01}416432C:\Windows\system32\csrss.exe{B81B27B7-26A3-6193-2D01-00000000CB01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056917098Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:55.125{B81B27B7-2345-6193-2800-00000000CB01}22644024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-26A3-6193-2D01-00000000CB01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056917097Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:55.125{B81B27B7-26A3-6193-2D01-00000000CB01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-2343-6193-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000056917096Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:45.013{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50003-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000109966806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:09.970{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal50004-false10.0.1.14win-dc-128.attackrange.local49672- 354300x8000000000000000109966805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:09.968{3BF36828-9799-6185-0D00-00000000CC01}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-128.attackrange.local58707-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal135epmap 23542300x8000000000000000109966804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:56.827{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=239891B1C8CF42C8CA8A42D9CCE8B727,SHA256=459FF7B61CEA4DE52425C0D33DE45808CACAF7F8536E2B1EAE1F8B7B74B31C32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:56.577{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC696E6B2DE9E8A665F39664295F3700,SHA256=64EB6FF31357025AE37B20E734E328E787EDDBE1EEAD613AC5D18028652365C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917118Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:56.610{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DE7B4D9EABD3A1093792AC2652BEAB7,SHA256=131B8322F5194ACBA5A2CBAEBFC82741BCD642898E87DB880317D3D441E109CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917117Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:56.329{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26EFA99E739BF97CBE867ED418A5F974,SHA256=55F42A863EAE747E66422C660619D274CD53B9049F8659FA6E41A6FBAC469A8E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056917130Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:57.701{B81B27B7-26A5-6193-2F01-00000000CB01}32165280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056917129Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:57.623{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AAF3022FB2A9E1D6E9C0812B7629532,SHA256=F958FE5283A82D0199E845CDF8D97A3C5AD63AD102BE13EA2943D43B0E0F1C7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:57.577{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BE446000F79A014DBB20A9FE2AD8789,SHA256=97F041D5E38F050C28702C076E5CF48E8D189B2C816D95C387288F232C3DBCA6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:57.046{3BF36828-989D-6185-BF00-00000000CC01}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056917128Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:57.545{B81B27B7-2346-6193-3000-00000000CB01}32043224C:\Windows\system32\conhost.exe{B81B27B7-26A5-6193-2F01-00000000CB01}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917127Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:57.545{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917126Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:57.545{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917125Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:57.545{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917124Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:57.545{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917123Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:57.545{B81B27B7-2343-6193-0500-00000000CB01}416432C:\Windows\system32\csrss.exe{B81B27B7-26A5-6193-2F01-00000000CB01}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056917122Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:57.545{B81B27B7-2345-6193-2800-00000000CB01}22644024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-26A5-6193-2F01-00000000CB01}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056917121Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:57.545{B81B27B7-26A5-6193-2F01-00000000CB01}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-2343-6193-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000056917120Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:47.561{B81B27B7-2343-6193-0C00-00000000CB01}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50004-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49672- 354300x800000000000000056917119Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:47.559{B81B27B7-2344-6193-0E00-00000000CB01}836C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal58707-false10.0.1.15win-host-987.attackrange.local135epmap 23542300x800000000000000056917141Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:58.642{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FDE73ED8941264649DB3B39EBB3B9D2,SHA256=1E852CFBD48ED42C4DB86805222C84BC3FB36B17FF9734F71B21FA0B2D800C9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109966811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:11.249{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58708-false10.0.1.12-8089- 23542300x8000000000000000109966810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:58.609{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17D7874F583A52940A50244B99A52BB5,SHA256=2865EAA65DC95CC1414D068B3DED9F87206100E962068D045314FA737E599A39,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917140Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:58.626{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63240152E8F795B9F1836F902ADDA1D5,SHA256=E78BE0E684C3ADFCE12917CF881481D7739D48904CD0163479F8F75EBCE505F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056917139Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:58.595{B81B27B7-26A6-6193-3001-00000000CB01}57445788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917138Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:58.439{B81B27B7-2346-6193-3000-00000000CB01}32043224C:\Windows\system32\conhost.exe{B81B27B7-26A6-6193-3001-00000000CB01}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917137Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:58.439{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917136Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:58.439{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917135Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:58.439{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917134Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:58.439{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917133Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:58.439{B81B27B7-2343-6193-0500-00000000CB01}416536C:\Windows\system32\csrss.exe{B81B27B7-26A6-6193-3001-00000000CB01}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056917132Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:58.439{B81B27B7-2345-6193-2800-00000000CB01}22644024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-26A6-6193-3001-00000000CB01}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056917131Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:58.439{B81B27B7-26A6-6193-3001-00000000CB01}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-2343-6193-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000109966809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:58.234{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1EB8CFDD744AD5C46466F85C7FEB8E8,SHA256=2FC56393B6D1509DEDF6A865D4F9E01593899C2AD2780B2D9E45230B9600C913,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917151Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:59.860{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC8EAF85C4D4006B4EE5655A46FA40F3,SHA256=D1D48C0CEFBE459F5556279CE9778964BBA6F20918F7CED42F85CA679B43EF0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109966814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:12.452{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58709-false10.0.1.12-8000- 23542300x8000000000000000109966813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:59.609{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DED61BBABC3B71DE7D89A6F4DEA24E2,SHA256=BB1684BBB354AFF69504E46B1FF02A6970A196D622633C629737DF004B344447,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056917150Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:59.267{B81B27B7-26A7-6193-3101-00000000CB01}12841268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917149Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:59.079{B81B27B7-2346-6193-3000-00000000CB01}32043224C:\Windows\system32\conhost.exe{B81B27B7-26A7-6193-3101-00000000CB01}1284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917148Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:59.079{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917147Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:59.079{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917146Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:59.079{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917145Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:59.079{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917144Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:59.079{B81B27B7-2343-6193-0500-00000000CB01}416536C:\Windows\system32\csrss.exe{B81B27B7-26A7-6193-3101-00000000CB01}1284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056917143Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:59.079{B81B27B7-2345-6193-2800-00000000CB01}22644024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-26A7-6193-3101-00000000CB01}1284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056917142Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:59.081{B81B27B7-26A7-6193-3101-00000000CB01}1284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-2343-6193-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000109966812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:33:59.265{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B24F6C839899E01AA641763A0E8ADE6A,SHA256=E2A9330A9B9417FDD85F8CBA5A4AE1EB0D6C81DFEA1380D33CFE56ECDB209661,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917162Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:00.861{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3794CDCF57F1CE5A58B95DA78B8D6924,SHA256=328BAAB31F604DD3E58A3A85B9C2F413CB66A2FCEEDFF570C57ECBA748012C01,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:00.827{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6725B6ED0AC9281B1A1F717C1778152C,SHA256=04843B2BD09692F417048571B3BBB998BAB3E4A6F163AA9157CC0B677BE4DC18,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056917161Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:00.564{B81B27B7-2346-6193-3000-00000000CB01}32043224C:\Windows\system32\conhost.exe{B81B27B7-26A8-6193-3201-00000000CB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917160Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:00.564{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917159Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:00.564{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917158Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:00.564{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917157Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:00.564{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917156Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:00.564{B81B27B7-2343-6193-0500-00000000CB01}416780C:\Windows\system32\csrss.exe{B81B27B7-26A8-6193-3201-00000000CB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056917155Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:00.564{B81B27B7-2345-6193-2800-00000000CB01}22644024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-26A8-6193-3201-00000000CB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056917154Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:00.564{B81B27B7-26A8-6193-3201-00000000CB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-2343-6193-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000056917153Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:50.014{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50005-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000056917152Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:00.157{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0FEA5DD5604340D02035DF704AF4E01,SHA256=6FA1BF8F32E573E980ED2B5170069F034F2479FA9FE2A02D9E13914071AD162B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917164Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:01.907{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=395A61C2DB0A83E9023BEF0617DF9F2A,SHA256=E7367E30B88160030D07890AD09E6483C9A9B9A0620C9563AD49FCA059AF50E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:01.859{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFA634E51FF810BF5249F8B3DA672AA0,SHA256=7786AC70AFA39D74B44A080E0F7657434105D48EF99CC73977EFC50719C9A817,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917163Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:01.704{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=371EA9C5CB53F160DDD8CA62515B39A8,SHA256=7F5F03AE2F96913BFDEDCFA0DAEF58D8257AC4033D598E89F2AB3F634EF42D8E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000109966818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-16 03:34:01.593{3BF36828-97A9-6185-2E00-00000000CC01}2972C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\D370F6FF-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_D370F6FF-0000-0000-0000-100000000000.XML 13241300x8000000000000000109966817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-16 03:34:01.593{3BF36828-97A9-6185-2E00-00000000CC01}2972C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\CA735696-6C26-4910-BF98-1B50C97DCBCC\Config SourceDWORD (0x00000001) 13241300x8000000000000000109966816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-16 03:34:01.593{3BF36828-97A9-6185-2E00-00000000CC01}2972C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\CA735696-6C26-4910-BF98-1B50C97DCBCC\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_CA735696-6C26-4910-BF98-1B50C97DCBCC.XML 23542300x800000000000000056917165Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:02.939{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=359C91142A19EB2F53D37D7AAC2B8293,SHA256=DDFDF754D4519AD06A9D0526997F3C63D37B9ED93548882A112C91D4EEE813EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109966827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:15.835{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local58712-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x8000000000000000109966826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:15.835{3BF36828-97A9-6185-2E00-00000000CC01}2972C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local58712-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x8000000000000000109966825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:15.829{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local58711-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x8000000000000000109966824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:15.829{3BF36828-97A9-6185-2E00-00000000CC01}2972C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local58711-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x8000000000000000109966823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:15.813{3BF36828-9799-6185-0D00-00000000CC01}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local58710-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local135epmap 354300x8000000000000000109966822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:15.813{3BF36828-97A9-6185-2E00-00000000CC01}2972C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local58710-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local135epmap 23542300x8000000000000000109966821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:02.905{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=398BC30E79DB7B5D7B53D94436A1F864,SHA256=726D5E37EDC609594264A52C0D65326786B00C98A002582534FEDE92B64D1618,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:02.609{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44645E91786068E18FBD636F806E40B7,SHA256=FAEB8120ECDA3EED114EE4031D8C44ABCE3FAB448742937F5C1ADF2CE2949B77,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917166Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:03.954{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6F7A0C7905D3598DBE32473E0942657,SHA256=53BADA4C55B97345E8F928C0B1339C0FC55F0C9850D43DB269A69EF3CB7E1994,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:03.968{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B530E16D85249BC0087A1051F3255D9B,SHA256=9BC226A3FD9948EC96CB7E9914228B9F06E47DD8AFB4AAC73D6A55CCCD485496,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917167Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:04.986{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E87D8E5DD3883FBD82DEFC55211E805,SHA256=F7ED8F88F2E7E13DB181E1D66963219C716A00037218B0F86AC8D7206FDE6745,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:04.984{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB140FC81A2C52FA2DD977D9310AC4D1,SHA256=6ABF7B476D72CD951D198520D90EF8D59D5940BE648B3A34CDC03FBBFFA1DCD5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:04.546{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC6D9AE35339BB61C4F915DEED56DABC,SHA256=41E69449C8CAE503743F671FDEF7A344B90394E15BBD39E36C7984264FFCB1C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:05.984{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A23E6D20AA8381DFCB05FFB0647CCE6,SHA256=8E4AC14A76B98BA2B56AA7CCAB23DC860DCF2622E05A230BA6E5F581A7B3A947,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056917168Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:33:55.967{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50006-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000109966831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:05.499{3BF36828-9797-6185-0B00-00000000CC01}6366520C:\Windows\system32\lsass.exe{3BF36828-9792-6185-0100-00000000CC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000109966835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:06.984{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F75D3A4309C51D1638BA02AD7D7E72A,SHA256=6E98A15EFEC6543D2DB329FB0C27306660B84D32BC6F8ABBED9492DDACF59FF0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:06.531{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48399DA190D8FDD929F771ABF2755A52,SHA256=66EAA79CAA115AAE02CCE1878F4BB789471E9860C09A0EC876A18278A44E3480,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109966833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:18.312{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58713-false10.0.1.12-8000- 23542300x800000000000000056917169Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:06.001{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=582784C07F6DE4E1C0DDD1590EBB9BB6,SHA256=ACC3FAB57406A3FDA86D6524AA6987C8128EADB963AB6DDFBA088E5599217E43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109966837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:19.719{3BF36828-9792-6185-0100-00000000CC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local58714-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 354300x8000000000000000109966836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:19.719{3BF36828-9792-6185-0100-00000000CC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local58714-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 23542300x800000000000000056917170Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:07.017{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9D90CE5F369EAE8A4B3ECA34AC83F46,SHA256=EA70B1B38A3DD45F075932510F3378C9C282CC5CE9F72F93F66A65A74BC17379,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:08.218{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=891EA4A99E7C26AF4C13674FBAE14EDB,SHA256=8F67B4ED570FED1CEE73710D7E3BB208A23F944511DCE652A5BEE021458C105C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917171Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:08.095{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C68099F88F05F743666292BCE6A99A81,SHA256=D5BCF22EB970ED96A892A6FD9FE8E804DAB7302FDF08752ED0CBF4E95247BA3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:09.442{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=747DD8E87DA3FF78429203029F9C4C82,SHA256=09D9874B6B6D2251001D4334EA27FC5349D9A4316775D543D2CA34779C49EA48,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917172Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:09.130{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C96929E43F04FB75C4B1942F9F54ACDE,SHA256=2B6579F568E43839C7474C3163E4521BF04FC426E7BAD0062DDAE8705F35807A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:09.238{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=806C7F123C6CAB002350E7D7AA4CBD4F,SHA256=EE19371559ED44842E2EB2CD41D651435CF222D519DE5C3FEE6F1B24C57D6458,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:10.551{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71DB4FEB35A98F5FF40A515929BBAEA0,SHA256=0A486CA28B7B4FEB50866CA93EA9050CD529CDC7006C64F0FF58AEE39BABB981,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917175Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:10.349{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7707DD27543B2BA28486D10675F6028,SHA256=0046022328516B3FBC9E6A852029A044933F31CA80E6D5E6B6BA2E264229BCAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917174Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:10.349{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E703F4751DF008FFDA497E8C47283F43,SHA256=854C79E6269235E67AF22CF3717D4208F94129EE87E7960EC35F5AE4BEE45504,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917173Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:10.146{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2282053F427E12C5AFCB9D064A236ADB,SHA256=B4A8DA4035366DE0C9492B9729EFE70348B72492087F2A57AE16DA73205429CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:11.599{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2095BE7B39AED93C3CD76926451BD857,SHA256=F7F6905D30294F7171C596E182504E2CB1344AD8A04A9969813E17F401F13579,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056917205Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:01.923{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50007-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000056917204Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:11.474{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2355-6193-8000-00000000CB01}4852C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917203Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:11.474{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2355-6193-8000-00000000CB01}4852C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917202Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:11.474{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2355-6193-8000-00000000CB01}4852C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917201Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:11.474{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2355-6193-8000-00000000CB01}4852C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917200Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:11.474{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2355-6193-8000-00000000CB01}4852C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917199Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:11.474{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2355-6193-8000-00000000CB01}4852C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917198Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:11.474{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2355-6193-8000-00000000CB01}4852C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917197Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:11.474{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2355-6193-8000-00000000CB01}4852C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917196Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:11.474{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2355-6193-8000-00000000CB01}4852C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917195Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:11.474{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2355-6193-8000-00000000CB01}4852C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917194Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:11.474{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2355-6193-8000-00000000CB01}4852C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917193Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:11.474{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2355-6193-8000-00000000CB01}4852C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917192Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:11.474{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2355-6193-8000-00000000CB01}4852C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917191Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:11.474{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2355-6193-8000-00000000CB01}4852C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917190Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:11.474{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2344-6193-1300-00000000CB01}720C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917189Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:11.474{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2344-6193-1300-00000000CB01}720C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917188Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:11.474{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2356-6193-8400-00000000CB01}3308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917187Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:11.474{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2356-6193-8400-00000000CB01}3308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917186Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:11.474{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2356-6193-8400-00000000CB01}3308C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917185Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:11.474{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2356-6193-8200-00000000CB01}4176C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917184Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:11.474{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2356-6193-8200-00000000CB01}4176C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917183Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:11.474{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2356-6193-8200-00000000CB01}4176C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917182Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:11.474{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2356-6193-8200-00000000CB01}4176C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917181Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:11.474{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2356-6193-8200-00000000CB01}4176C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917180Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:11.474{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2356-6193-8200-00000000CB01}4176C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917179Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:11.474{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2356-6193-8200-00000000CB01}4176C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917178Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:11.474{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2356-6193-8200-00000000CB01}4176C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917177Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:11.474{B81B27B7-2344-6193-0E00-00000000CB01}836856C:\Windows\system32\svchost.exe{B81B27B7-2356-6193-8200-00000000CB01}4176C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056917176Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:11.161{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DCE0D3F9DB82133AF55C49E16E9739A,SHA256=C0DD4FDB67D6161EA389C8C2B79DF02CB2723F5537CF0B414BCC18D0D0E61CD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109966842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:23.427{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58715-false10.0.1.12-8000- 23542300x8000000000000000109966844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:12.611{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F2DE35833FFFE574212F22B4E819DFB,SHA256=BFCCF63F874096282C6E42502A4BB759CEC2C7A879B8B28A3DFF154882E540B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917206Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:12.333{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FBFE168C80C897CBFC906B2986490B8,SHA256=32D2B47ED686732D682A2F5F578E8D9D817C3189BFB40A8CC6616CA6876C34EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:13.615{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A919A61C8AC66FE7C3729866DF6EC5E9,SHA256=CCDFBA29B72F50B1245295ED8B827B4EDF7C2ED840B24D8D4F8A1480D9E62304,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917207Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:13.568{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B18100A2858DEB4CC314D3BD9329CDC5,SHA256=72662FC1B38DB1DF26692F68BE6110739120D77C1626B139494A9314FD692457,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917208Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:14.583{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=096CC4B5BD5521E4130A38C0C6E5E27B,SHA256=874389F485EBE04351317433AC6B09976BF3A3A9016EDA9D80255F1E4DEE8F5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:14.616{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6592DEB42CB8E0A762C958388806B404,SHA256=4AB5C6BDFA00F4D75DA28229409DAED09D4DF4AB10B7AB9873EE61D89A41AC30,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917209Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:15.786{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9232AA144F495A6624DF1B53DF4C3B07,SHA256=F40E0D3A811E84964FFC412798ADE0D57190FF8A8D64369F6AE2112C74C856C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:15.631{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F43ED2077D8B37E6880D00B0D8D04664,SHA256=B94B8D8C0BE29773A3E090870A5D18F6719E9C7402D0E4671CC2FB3E1CF8C83A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:15.241{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C10368F6DD773B3547BF41426227762,SHA256=B17AFD8B297A01625C26B1A35AC9890CF52844DFA34AF196678CA4AFFEE2F414,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:15.241{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9359B647C297418D424BED012ED99026,SHA256=1E99F343926F5F49300437E4FE27E29090CFFF42B2CE4D183F3CC7BD7F16D08B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:16.631{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=890FB540BF54238E60FAEAACEE0DD225,SHA256=C0E67064AD5BC0A560F106A542D72AF52761F9BB653AA14BB7B708068D728352,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109966850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:28.429{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58716-false10.0.1.12-8000- 23542300x8000000000000000109966853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:17.631{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B70ABF1D56A287C467E4F243DB0141D4,SHA256=444DE11CD619CBADBBE19661EF00990F7264922FF1A944CA10884A1498703498,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917210Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:17.005{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB81BCE1C4A79087362A19AAC6FF0DB9,SHA256=1870E8A845C040E052E6CD45F9C22B2C757D1C6F61F666F2556A704394568A0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:17.397{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C10368F6DD773B3547BF41426227762,SHA256=B17AFD8B297A01625C26B1A35AC9890CF52844DFA34AF196678CA4AFFEE2F414,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:18.741{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=859BD63AAFDCEACE291034A73FB9765F,SHA256=64A91DABF5DE07DAED6FA787351D28FB9AAB27B14714A9BBD8C58FC2F6E5B565,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056917212Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:07.877{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50008-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000056917211Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:18.115{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7EDE96AC0A8E51913573C78C4B3E698,SHA256=DBBFC7702B7D3E57D57E6A85CBFE0BA2D992E09EDA1B1B537C1F8639BFE2301D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:19.960{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72DFB0C2ECE2BC90B51C7DF11CDC72EA,SHA256=0ABA84374DA09CF851A79BE2AC3FF97D4CC1FA5A2EFA046CBC0F21DD25A37E4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000109966864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-16 03:34:19.725{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000109966863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-16 03:34:19.725{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x34f7755f) 13241300x8000000000000000109966862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-16 03:34:19.725{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7da92-0x74f8694c) 13241300x8000000000000000109966861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-16 03:34:19.725{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7da9a-0xd6bcd14c) 13241300x8000000000000000109966860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-16 03:34:19.725{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7daa3-0x3881394c) 13241300x8000000000000000109966859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-16 03:34:19.725{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000109966858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-16 03:34:19.725{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x34f7755f) 13241300x8000000000000000109966857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-16 03:34:19.725{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7da92-0x74f8694c) 13241300x8000000000000000109966856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-16 03:34:19.725{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7da9a-0xd6bcd14c) 13241300x8000000000000000109966855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-16 03:34:19.725{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7daa3-0x3881394c) 23542300x800000000000000056917213Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:19.130{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC3531CF8E38DA393CD9FC0D3BB36568,SHA256=C9F1F8513ADD0B2E89EE2C5B069D6E08C46B28998DD30313F9DFDF08B8879057,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:20.960{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=595B90FF364EC0BA5C30E2710B2FE560,SHA256=C0558D1451CF956A310D717665CAC8AF52CF48C1A6D774FE52C5F57DEA3914F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917214Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:20.146{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4030DA89C9A0A4AF9CD6110786CCEEB,SHA256=7098F3E40AE1EDCE22E77850FEBD258D4A27EBE5D96308A6CC5CE4EC385EC935,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917215Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:21.240{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37C1526EF9A11925A887A541E1F9FD72,SHA256=F6ED59AC90AD96177464917DA94C1F12110262483E8B2F2BAAB5A976B1C33763,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:21.256{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE90BE552FEB639C332725D58E8F6356,SHA256=FC8F4380856676F83E5EF10D1BC87F4F64A5DA1AAFCF34EC27DFD0E89D1EAE6B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917216Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:22.318{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8111ACFA7C8166030C2FFE15635209B1,SHA256=C3279A6B94EB040D18E7EC169A432FF34C4E8DFB7EED53B5AF1EC23F44803EE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109966869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:34.460{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58717-false10.0.1.12-8000- 23542300x8000000000000000109966868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:22.069{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AE1369E9EDF627E9A02B0C5C4ECA953,SHA256=EEE11638CB0324E6803FEEBD24C6429A31990A34E9A5592C71758B66EF479A97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917217Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:23.333{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4B3A5921A3FDBAA6B818F0A0689F351,SHA256=89A536AC691CAF544C35FC018F86CD72DCFFB96066B9D9E0979114D2F7619288,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:23.069{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C9910236A442F6F54E0EECACBB77DDF,SHA256=433CD8CD70B78D7C1D5A86A8EA569ACE01E022BCD6F07EB26E35E21F147D7581,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917219Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:24.349{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=079282EB88F795E872CD99680E271F52,SHA256=9125159748E528DA62C55B0E69144679096E5C683374151B2D99DCFFDD12C104,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:24.569{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7183F500A5BE8A6233E2BCBF38641C19,SHA256=DF89ADA51A9666F14BA64EBC67ED3BEA456E9AC8239D055A3915DF213F9061CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:24.163{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70A1D6E41260AF1CCEC66D5EF86C8B08,SHA256=BB4AAB798818A79A75C4088C7319245B8C525E6871719811AD046963D564061E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056917218Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:13.861{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50009-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000056917220Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:25.365{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99539BDE9EF0D027601569267220FDA2,SHA256=C64F79358F29B41582EC288475C1F525574CC366712377D9BE50D111D4A58BAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:25.350{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=085A3DDFF98568ECEE6AC6428A9B4188,SHA256=4577BCE1C98A7E74152EC84402ECF23C06DE23ACE061D98C2C0E346CE7CEE938,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:26.553{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B54B635CF452EC1099867D898C1B0EC,SHA256=79CAB98831EF49750D404D765B8500D4116BA54341ADFB2F0B908406A29197AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917221Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:26.365{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6265D92D07B894C6A9DDC960803902B,SHA256=5E2CC88A46A873E8A061ADF1BC17533437B4483AD129F1152BB1E353AA86A6E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:27.631{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D2CA1A122BEA7DC1BE819A6E06C51A8,SHA256=79B03E0920489E8A897FCE1B88EEF94BD896FBAD7B8F498F0AB9ABF4CC1C6BE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917222Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:27.381{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95B135606B331123BC9E7791DB1A5D2B,SHA256=FCED694642DB7C7B91C1F5966966D4B994D9CC0277261CD1AF9B9CFD47FDAE51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:27.100{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A0A4EFBF2C78AF5A20E7278FD1A56CB,SHA256=4863DB03EC4A2DCE165F5A25BC3DD876F737830EF23066652A4F59FB3B09ECA2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:28.640{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28BEE24CEB4BEEE6F69DF188938AA695,SHA256=71A72EB4D5EBB39DFEA8D21E9759579DDEA211703BC375135E409BF2192EBABD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917224Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:28.396{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F2F278AA52B415A51E3B4C8064E4858,SHA256=432F4F2E3E7338E2FC3AB39F6B55A4DB6DBA7F4ED1AE06772A69BC2786DB0547,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109966877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.257{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58718-false10.0.1.12-8000- 23542300x800000000000000056917223Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:28.240{B81B27B7-2345-6193-2800-00000000CB01}2264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:29.655{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77570231510EEAEEED158677C6B0A5B8,SHA256=64529C60C972228566B4B07D736D11FBCE434B80AA19574FF4C55C472A0B816B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056917229Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:18.892{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50010-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000056917228Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:29.407{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A518D34C016DD5A95DCCC06694245A0C,SHA256=D89AEA89237AC582958CF43A6F44A0831E37E6776F592B4CCD6D090F59C09A57,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:29.593{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D423C3BFFCFD73DEDE43E60FB530CB1,SHA256=75FB5F692C8EE27B3F75F5625327CFD5ABA9EA3F524FB8B9109695FDAE17C689,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917227Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:29.079{B81B27B7-2345-6193-2800-00000000CB01}2264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=8F9FF302BE0E14019C3DDA37F2147295,SHA256=B3117823E730F3C5CEC8712A2454CD37516E07C04852F86F83553A3721F0DDFF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917226Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:29.079{B81B27B7-2345-6193-2800-00000000CB01}2264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=08CA87AF5574C1B30E818EB8E70D8583,SHA256=DF97F9DFD1EB743DE4C46C615308E43C43AE1ACAA939380A5C1F713F7375507B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917225Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:29.079{B81B27B7-2345-6193-2800-00000000CB01}2264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=2C2692FF04DEB7B992B6A8632D825846,SHA256=7ED5D14F0B50E6F0C2B1DF216ED3776FEB993DC32AB8D84ABB2AEF8A75005811,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:30.655{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2027F08F2BBC38A874E96D07B1C4692B,SHA256=86B1CB4D49AE95E9BED72C2D8C0C64CBE55B1311A7715E874DBB73BA3B2B3370,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056917231Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:20.032{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50011-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000056917230Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:30.423{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=358CA84C5FA653E16E007200C70F9A41,SHA256=A73217FE5B52FA79BD6F9BF01E13AA562E505142735ED650EF096EAE3FD602C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:31.655{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C2B90E8362F50B46A6C640D98A8EF21,SHA256=CA1319EC1EE3A4F0D20A76F7D21F7F465516191BC84CD49C9859FCFD685D8CBD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917232Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:31.439{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1BDC7411D5D7E26EF83963923E173BB,SHA256=CBA0D6375F145322066D90180DFC236EE0D0C4BC28190F72E0188FD6D9B664EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:32.655{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E93BC2231B0CB6270A95F16AE699A8DE,SHA256=6ACF87275CED4FBDC84E793746F71B33B36EC623B5D6961E08618C275A31DD50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917233Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:32.439{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5268EF41FCFBBFCAD1A7434509EC89CA,SHA256=39DD9111A4A296A884D670FB5E4024ADCFF03976754DE026C1F3E4706D5426E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:32.265{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F94D957509628E1BC7307C46F452A7D,SHA256=825ACEFDCAB32AF9C3A43B0478D36099BE0FC4AEEBA19CAC884BE113FA497FB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:33.671{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43F1323DE6A413DA3093F4EF33B4AA10,SHA256=D7F926D0D89B0EA6DD7D74670C28012A966AB7A832008E841F095332FF9C383F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917234Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:33.454{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEA1A9999EE89E3B61AB20D6774D299C,SHA256=092209A2FFB64257D923FBCA05D82769B7783ED887668236489B74F0559F4AC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109966885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:45.437{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58719-false10.0.1.12-8000- 23542300x8000000000000000109966887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:34.671{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87D50FB8644C3DEF609D199AE79C4061,SHA256=868A40B4706DCC53ED57F90B641D1211A361E7B7D93034869BA746AC90C651B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917246Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:34.470{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBD689C63073711C381000C778B11739,SHA256=8C9AF4352F2A143619EC4DA6BDB11C3A810E8211051BCA9D70F11FBC6A5E82DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000056917245Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-16 03:34:34.392{B81B27B7-2343-6193-0C00-00000000CB01}652C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000056917244Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-16 03:34:34.392{B81B27B7-2343-6193-0C00-00000000CB01}652C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x000dbb51) 13241300x800000000000000056917243Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-16 03:34:34.392{B81B27B7-2343-6193-0C00-00000000CB01}652C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7da92-0x80d4e33b) 13241300x800000000000000056917242Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-16 03:34:34.392{B81B27B7-2343-6193-0C00-00000000CB01}652C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7da9a-0xe2994b3b) 13241300x800000000000000056917241Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-16 03:34:34.392{B81B27B7-2343-6193-0C00-00000000CB01}652C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7daa3-0x445db33b) 13241300x800000000000000056917240Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-16 03:34:34.392{B81B27B7-2343-6193-0C00-00000000CB01}652C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000056917239Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-16 03:34:34.392{B81B27B7-2343-6193-0C00-00000000CB01}652C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x000dbb51) 13241300x800000000000000056917238Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-16 03:34:34.392{B81B27B7-2343-6193-0C00-00000000CB01}652C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7da92-0x80d4e33b) 13241300x800000000000000056917237Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-16 03:34:34.392{B81B27B7-2343-6193-0C00-00000000CB01}652C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7da9a-0xe2994b3b) 13241300x800000000000000056917236Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-16 03:34:34.392{B81B27B7-2343-6193-0C00-00000000CB01}652C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7daa3-0x445db33b) 354300x800000000000000056917235Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:24.059{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50012-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000109966888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:35.671{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C64681C9D4F1DC57AF35EAFA99742FA,SHA256=47686791089020412E800A9435EA18DCB533EEACAEC01C0E0208E0F2EDF86BAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917247Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:35.486{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F90FF78A622B9659752B406D6F697FDD,SHA256=09B54C36B6443460467E898970437B40D2DE9F8035DB73D431D8FF755388219A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:36.671{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8A2CD261EF79DBE2B54D8DEAFB7E640,SHA256=928B3004024DDCA1CE23BF3408006B29A072E9EBD56D065FF1B831FD0184F3D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917248Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:36.486{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=829DC8B8ABF77D99223252F606DDDEB7,SHA256=121F578297B9A0777B700B5593F01445795453C5F3FAD7E9A28764F5BD28F5CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917249Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:37.501{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEBD1D0CA65628B181F22C29B37D034C,SHA256=7835ED3B9173359A4135CAA49425EF1D3E41A8DC460FAF79E407EDDE406A973F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000109966949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.984{3BF36828-9797-6185-0500-00000000CC01}420536C:\Windows\system32\csrss.exe{3BF36828-26CD-6193-FE98-01000000CC01}6988C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000109966948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.984{3BF36828-9799-6185-0C00-00000000CC01}8446904C:\Windows\system32\svchost.exe{3BF36828-26CD-6193-FE98-01000000CC01}6988C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.968{3BF36828-97CC-6185-8400-00000000CC01}36645916C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000109966946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.968{3BF36828-97CC-6185-8400-00000000CC01}36645916C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000109966945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.968{3BF36828-94A1-6192-9587-01000000CC01}53125244C:\Windows\explorer.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.968{3BF36828-94A1-6192-9587-01000000CC01}53125244C:\Windows\explorer.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000109966943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.952{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C8004815C9A1E431CBDF329FCEC7187,SHA256=7E92F8BBD01B159A5D4916AD5E53D1B8585DA19D6F8DD2B5AE71EDAACD428D85,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000109966942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.937{3BF36828-94A1-6192-9587-01000000CC01}53126852C:\Windows\explorer.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b3175|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.937{3BF36828-94A1-6192-9587-01000000CC01}53126852C:\Windows\explorer.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b308e|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.937{3BF36828-94A1-6192-9587-01000000CC01}53126852C:\Windows\explorer.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.937{3BF36828-97CC-6185-8400-00000000CC01}36645916C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000109966938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.937{3BF36828-97CC-6185-8400-00000000CC01}36645916C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000109966937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.937{3BF36828-94A1-6192-9587-01000000CC01}53125568C:\Windows\explorer.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000109966936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.937{3BF36828-94A1-6192-9587-01000000CC01}53125568C:\Windows\explorer.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000109966935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-97A9-6185-3100-00000000CC01}21964372C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000109966934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-97A9-6185-3100-00000000CC01}21964372C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000109966933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-9799-6185-0D00-00000000CC01}9046636C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-9799-6185-0D00-00000000CC01}9046636C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-9799-6185-0D00-00000000CC01}9046636C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-9799-6185-0D00-00000000CC01}9046636C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-9799-6185-0D00-00000000CC01}9046444C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-9799-6185-0D00-00000000CC01}9046444C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-9799-6185-0D00-00000000CC01}9046444C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-9799-6185-0D00-00000000CC01}9046444C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-9799-6185-0D00-00000000CC01}9046636C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-9799-6185-0D00-00000000CC01}9046636C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-9799-6185-0D00-00000000CC01}9046636C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-9799-6185-0D00-00000000CC01}9046636C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-9799-6185-0D00-00000000CC01}9046444C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-9799-6185-0D00-00000000CC01}9046444C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-9799-6185-0D00-00000000CC01}9046444C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-9799-6185-0D00-00000000CC01}9046444C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-9799-6185-0D00-00000000CC01}9046636C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-9799-6185-0D00-00000000CC01}9046636C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-9799-6185-0D00-00000000CC01}9046444C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-9799-6185-0D00-00000000CC01}9046444C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-9799-6185-0D00-00000000CC01}9046444C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-9799-6185-0D00-00000000CC01}9046444C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-9799-6185-0D00-00000000CC01}9046444C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-9799-6185-0D00-00000000CC01}9046444C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-9799-6185-0C00-00000000CC01}8446904C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000109966905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-9799-6185-0C00-00000000CC01}8446904C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000109966904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-9799-6185-0C00-00000000CC01}8446904C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000109966903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-9799-6185-0C00-00000000CC01}8446904C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000109966899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-9799-6185-0C00-00000000CC01}8446904C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000109966898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-9799-6185-0C00-00000000CC01}8446904C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000109966897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-9799-6185-0C00-00000000CC01}8446904C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-94A1-6192-9587-01000000CC01}53125968C:\Windows\explorer.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-9799-6185-0C00-00000000CC01}8446904C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-94A1-6192-9587-01000000CC01}53122624C:\Windows\explorer.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-94A1-6192-9587-01000000CC01}53122624C:\Windows\explorer.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-94A1-6192-9587-01000000CC01}53125568C:\Windows\explorer.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37528|C:\Windows\System32\TwinUI.dll+37448|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+3fb990|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0 10341000x8000000000000000109966891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.921{3BF36828-94A1-6192-9587-01000000CC01}53125568C:\Windows\explorer.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37590|C:\Windows\System32\TwinUI.dll+37435|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+3fb990|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0 23542300x8000000000000000109966890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.671{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76665E53484B2D7C861CECE0B497D56D,SHA256=98A6143AEE989E27F7CFB3D48132E96274FBEB235B030A9E15439A8BD8C1B84C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917250Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:38.517{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=267C5ACEE0198F62ACA76478EEEE463E,SHA256=8F2CC4939CB998B1EDCDE1408CED054B281098EFE0B0E0A6FD352E468204D763,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109967131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.984{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\System32\conhost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 23542300x8000000000000000109967130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.984{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8593AA26CB0B6923C07FAC00EF19E5EE,SHA256=D1BB5AD939924F34E4DCE9E3234BE35B22051D700BBC8CF59AE1D459F4AC7A7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109967129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.984{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\System32\conhost.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000109967128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.968{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\System32\conhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000109967127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.968{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\System32\conhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000109967126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.968{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\System32\conhost.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000109967125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.968{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\System32\conhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000109967124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.968{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\System32\conhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000109967123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.968{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\System32\conhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000109967122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.968{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\System32\conhost.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 10341000x8000000000000000109967121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.968{3BF36828-9799-6185-1600-00000000CC01}12721960C:\Windows\system32\svchost.exe{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.968{3BF36828-9799-6185-1600-00000000CC01}12721324C:\Windows\system32\svchost.exe{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109967119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.968{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\System32\conhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 10341000x8000000000000000109967118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.968{3BF36828-94A1-6192-9587-01000000CC01}53121872C:\Windows\explorer.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.968{3BF36828-94A1-6192-9587-01000000CC01}53121872C:\Windows\explorer.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109967116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.968{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\System32\conhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000109967115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.968{3BF36828-26CE-6193-0099-01000000CC01}13086920C:\Windows\system32\conhost.exe{3BF36828-26CE-6193-FF98-01000000CC01}5016C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.968{3BF36828-94A1-6192-9587-01000000CC01}53125568C:\Windows\explorer.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000109967113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.968{3BF36828-94A1-6192-9587-01000000CC01}53125568C:\Windows\explorer.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 734700x8000000000000000109967112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.968{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\System32\conhost.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000109967111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.968{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\System32\conhost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109967110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.968{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\System32\conhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000109967109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.968{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\System32\conhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109967108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.968{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\System32\conhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000109967107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.968{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\System32\conhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000109967106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.968{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\System32\conhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109967105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.968{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\System32\conhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000109967104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.968{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109967103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.968{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109967102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.968{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\System32\conhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109967101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.968{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\System32\conhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000109967100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.968{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\System32\conhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109967099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.968{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\System32\conhost.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109967098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.968{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\System32\conhost.exeC:\Windows\System32\ConhostV2.dll10.0.14393.4402 (rs1_release.210426-1725)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=EBEFEF1FE2B0D6FF2595203DADE100C9,SHA256=70F4BB4198467DA8E2FD7AF475536B3F2FD1B3E56CEE7E376D0303C149C449F9,IMPHASH=49A59B06FE5B10F21E36B588430BFDB3trueMicrosoft WindowsValid 734700x8000000000000000109967097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.968{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\System32\conhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000109967096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.952{3BF36828-97C9-6185-7D00-00000000CC01}49683244C:\Windows\system32\csrss.exe{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x8000000000000000109967095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.952{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\System32\conhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000109967094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.952{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\System32\conhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000109967093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.952{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\System32\conhost.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000109967092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.952{3BF36828-9799-6185-0C00-00000000CC01}8446904C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109967091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.952{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0,IMPHASH=2C980A4DA7C717CC670CB9E1D2C4D733trueMicrosoft WindowsValid 10341000x8000000000000000109967090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.952{3BF36828-94A1-6192-9587-01000000CC01}53125244C:\Windows\explorer.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.952{3BF36828-94A1-6192-9587-01000000CC01}53125244C:\Windows\explorer.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.952{3BF36828-94A1-6192-9587-01000000CC01}53121872C:\Windows\explorer.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.952{3BF36828-94A1-6192-9587-01000000CC01}53121872C:\Windows\explorer.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.952{3BF36828-9799-6185-0C00-00000000CC01}8442660C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109967085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.952{3BF36828-26CE-6193-FF98-01000000CC01}5016C:\Windows\System32\cmd.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 10341000x8000000000000000109967084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.952{3BF36828-94A1-6192-9587-01000000CC01}53125244C:\Windows\explorer.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.952{3BF36828-94A1-6192-9587-01000000CC01}53125244C:\Windows\explorer.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109967082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.952{3BF36828-26CE-6193-FF98-01000000CC01}5016C:\Windows\System32\cmd.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000109967081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.952{3BF36828-26CE-6193-FF98-01000000CC01}5016C:\Windows\System32\cmd.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000109967080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.952{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109967079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.952{3BF36828-26CE-6193-FF98-01000000CC01}5016C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37AtrueMicrosoft WindowsValid 10341000x8000000000000000109967078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.952{3BF36828-9799-6185-0C00-00000000CC01}8442660C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.952{3BF36828-9799-6185-0C00-00000000CC01}8442660C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.952{3BF36828-9799-6185-0C00-00000000CC01}8442660C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.952{3BF36828-9799-6185-0C00-00000000CC01}8442660C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.952{3BF36828-97C9-6185-7D00-00000000CC01}49683244C:\Windows\system32\csrss.exe{3BF36828-26CE-6193-FF98-01000000CC01}5016C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000109967073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.952{3BF36828-94A1-6192-9587-01000000CC01}53126496C:\Windows\explorer.exe{3BF36828-26CE-6193-FF98-01000000CC01}5016C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e61f|C:\Windows\System32\windows.storage.dll+16e295|C:\Windows\System32\windows.storage.dll+16dd86|C:\Windows\System32\windows.storage.dll+16f1f8|C:\Windows\System32\windows.storage.dll+16dbae|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\windows.storage.dll+1664ae|C:\Windows\System32\windows.storage.dll+1661a2|C:\Windows\System32\SHELL32.dll+90ee1|C:\Windows\System32\SHELL32.dll+8fd46|C:\Windows\System32\SHELL32.dll+d0c11|C:\Windows\System32\SHELL32.dll+b6e2e|C:\Windows\System32\windows.storage.dll+2d1a2|C:\Windows\System32\windows.storage.dll+2ce99|C:\Windows\System32\windows.storage.dll+2cd6f|C:\Windows\System32\SHELL32.dll+d0c97|C:\Windows\System32\SHELL32.dll+b6e2e|C:\Windows\System32\SHELL32.dll+1721db 154100x8000000000000000109967072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.958{3BF36828-26CE-6193-FF98-01000000CC01}5016C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{3BF36828-97CB-6185-F909-080000000000}0x809f92HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{3BF36828-94A1-6192-9587-01000000CC01}5312C:\Windows\explorer.exeC:\Windows\explorer.exe /NOUACCHECK 10341000x8000000000000000109967071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.937{3BF36828-9799-6185-0C00-00000000CC01}8442660C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-3100-00000000CC01}2196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.937{3BF36828-9799-6185-0C00-00000000CC01}8442660C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-3100-00000000CC01}2196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.937{3BF36828-94A1-6192-9587-01000000CC01}53125568C:\Windows\explorer.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+925b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+650d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000109967068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.937{3BF36828-94A1-6192-9587-01000000CC01}53125568C:\Windows\explorer.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000109967067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.937{3BF36828-94A1-6192-9587-01000000CC01}53125568C:\Windows\explorer.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000109967066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.937{3BF36828-9799-6185-0C00-00000000CC01}8442660C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-3100-00000000CC01}2196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.937{3BF36828-9799-6185-0C00-00000000CC01}8442660C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-3100-00000000CC01}2196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000109967064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.921{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADCFE9F9867431BC2F21D77F07A598AB,SHA256=AC87864B10D01AF136FA7521518AD54B64CB778E56CA74436B547E6DC7B4F9CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109967063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.890{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=579E033AD026102CDA5B9F676860BFF4,SHA256=BAE5C615C7C0669CDB52D68116989D450ECBF7FAC0A171DC7359469B1F75A333,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000109967062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.827{3BF36828-97CC-6185-8400-00000000CC01}36641568C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+f0036|C:\Windows\System32\windows.storage.dll+f1998|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000109967061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.827{3BF36828-97CC-6185-8400-00000000CC01}36641568C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+5d030|C:\Windows\System32\windows.storage.dll+6c014|C:\Windows\System32\windows.storage.dll+178c6b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000109967060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.827{3BF36828-97CC-6185-8400-00000000CC01}36646320C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000109967059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.827{3BF36828-97CC-6185-8400-00000000CC01}36646320C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000109967058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.812{3BF36828-97CC-6185-8400-00000000CC01}36646320C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000109967057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.812{3BF36828-97CC-6185-8400-00000000CC01}36647148C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000109967056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.812{3BF36828-97CC-6185-8400-00000000CC01}36646836C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000109967055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.812{3BF36828-97CC-6185-8400-00000000CC01}36646320C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000109967054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.812{3BF36828-97CC-6185-8400-00000000CC01}36646836C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000109967053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.812{3BF36828-97CC-6185-8400-00000000CC01}36647148C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000109967052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.812{3BF36828-97CC-6185-8400-00000000CC01}36646172C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000109967051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.812{3BF36828-97CC-6185-8400-00000000CC01}36646172C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000109967050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.749{3BF36828-97CC-6185-8400-00000000CC01}36641568C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+f0036|C:\Windows\System32\windows.storage.dll+f1998|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000109967049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.749{3BF36828-97CC-6185-8400-00000000CC01}36641568C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+5d030|C:\Windows\System32\windows.storage.dll+6c014|C:\Windows\System32\windows.storage.dll+178c6b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000109967048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.749{3BF36828-97CC-6185-8400-00000000CC01}36646172C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000109967047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.749{3BF36828-97CC-6185-8400-00000000CC01}36646172C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000109967046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.749{3BF36828-97CC-6185-8400-00000000CC01}36641568C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+f0036|C:\Windows\System32\windows.storage.dll+f1998|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000109967045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.749{3BF36828-97CC-6185-8400-00000000CC01}36641568C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+5d030|C:\Windows\System32\windows.storage.dll+6c014|C:\Windows\System32\windows.storage.dll+178c6b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000109967044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.749{3BF36828-97CC-6185-8400-00000000CC01}36641568C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+f0036|C:\Windows\System32\windows.storage.dll+f1998|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000109967043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.749{3BF36828-97CC-6185-8400-00000000CC01}36641568C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+5d030|C:\Windows\System32\windows.storage.dll+6c014|C:\Windows\System32\windows.storage.dll+178c6b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000109967042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.749{3BF36828-97CC-6185-8400-00000000CC01}36646172C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000109967041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.749{3BF36828-97CC-6185-8400-00000000CC01}36646172C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000109967040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.749{3BF36828-97CC-6185-8400-00000000CC01}36647148C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000109967039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.749{3BF36828-97CC-6185-8400-00000000CC01}36647148C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000109967038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.734{3BF36828-97CC-6185-8400-00000000CC01}36646836C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000109967037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.734{3BF36828-97CC-6185-8400-00000000CC01}36646172C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000109967036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.734{3BF36828-97CC-6185-8400-00000000CC01}36646836C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000109967035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.734{3BF36828-97CC-6185-8400-00000000CC01}36646172C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000109967034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.734{3BF36828-97CC-6185-8400-00000000CC01}36646320C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000109967033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.734{3BF36828-97CC-6185-8400-00000000CC01}36646320C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000109967032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.734{3BF36828-97CC-6185-8400-00000000CC01}36647148C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000109967031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.734{3BF36828-97CC-6185-8400-00000000CC01}36647148C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000109967030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.671{3BF36828-97CC-6185-8400-00000000CC01}36644584C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+f0036|C:\Windows\System32\windows.storage.dll+f1998|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000109967029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.671{3BF36828-97CC-6185-8400-00000000CC01}36644584C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+5d030|C:\Windows\System32\windows.storage.dll+6c014|C:\Windows\System32\windows.storage.dll+178c6b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000109967028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.671{3BF36828-97CC-6185-8400-00000000CC01}36641568C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+f0036|C:\Windows\System32\windows.storage.dll+f1998|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000109967027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.671{3BF36828-97CC-6185-8400-00000000CC01}36641568C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+5d030|C:\Windows\System32\windows.storage.dll+6c014|C:\Windows\System32\windows.storage.dll+178c6b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000109967026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.671{3BF36828-97CC-6185-8400-00000000CC01}36647148C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000109967025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.671{3BF36828-97CC-6185-8400-00000000CC01}36647148C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000109967024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.671{3BF36828-97CC-6185-8400-00000000CC01}36644584C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000109967023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.671{3BF36828-97CC-6185-8400-00000000CC01}36644584C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 734700x8000000000000000109967022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.655{3BF36828-97CC-6185-8400-00000000CC01}3664C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\thumbcache.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Thumbnail CacheMicrosoft® Windows® Operating SystemMicrosoft Corporationthumbcache.dllMD5=C146766884A92B154F2EB38463F2263D,SHA256=48C5CC7760187EDB140A904D3AC5FD24F740973CDBA07962047859F84E7BEB9C,IMPHASH=428FE673E24F7848BECF2BA2271A839AtrueMicrosoft WindowsValid 10341000x8000000000000000109967021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.655{3BF36828-97CC-6185-8400-00000000CC01}36641568C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+f0036|C:\Windows\System32\windows.storage.dll+f1998|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000109967020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.655{3BF36828-97CC-6185-8400-00000000CC01}36641568C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+5d030|C:\Windows\System32\windows.storage.dll+6c014|C:\Windows\System32\windows.storage.dll+178c6b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000109967019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.655{3BF36828-97CC-6185-8400-00000000CC01}36645524C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+f0036|C:\Windows\System32\windows.storage.dll+f1998|C:\Windows\system32\windows.cortana.onecore.dll+1602f|C:\Windows\system32\windows.cortana.onecore.dll+16127|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000109967018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.655{3BF36828-97CC-6185-8400-00000000CC01}36645524C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+5d030|C:\Windows\System32\windows.storage.dll+6c014|C:\Windows\System32\windows.storage.dll+178c6b|C:\Windows\system32\windows.cortana.onecore.dll+1717e|C:\Windows\system32\windows.cortana.onecore.dll+15fb7|C:\Windows\system32\windows.cortana.onecore.dll+16127|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06 734700x8000000000000000109967017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.655{3BF36828-97CC-6185-8400-00000000CC01}3664C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x8000000000000000109967016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.655{3BF36828-97CC-6185-8400-00000000CC01}3664C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\twinui.dll10.0.14393.4169 (rs1_release.210107-1130)TWINUIMicrosoft® Windows® Operating SystemMicrosoft CorporationTWINUI.dllMD5=7F1F1B63C8AA1D6EA1057589ECF0AC12,SHA256=4E20B33E2E951359C9FEBD1EE66A2B24E5BAACB0C6CFF5E3543CAAB00C99AA91,IMPHASH=B98A56301D4EF217B14C24D92F13B2B4trueMicrosoft WindowsValid 10341000x8000000000000000109967015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.655{3BF36828-97CC-6185-8400-00000000CC01}36645916C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000109967014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.655{3BF36828-97CC-6185-8400-00000000CC01}36645916C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000109967013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.655{3BF36828-97CC-6185-8400-00000000CC01}36644584C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000109967012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.655{3BF36828-97CC-6185-8400-00000000CC01}36644584C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 23542300x8000000000000000109967011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.655{3BF36828-94A2-6192-9887-01000000CC01}4180ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\2OZ2JCZ6\microsoft.windows[1].xmlMD5=3CB1E5C4D3A6C1F4DCA2D9EA2449E9F4,SHA256=0A8F9C8F3DE1210FDA3374D751B6E5D187F9B0938AB7C948124885A46DFBD508,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000109967010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.640{3BF36828-94A1-6192-9587-01000000CC01}53125568C:\Windows\explorer.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000109967009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.640{3BF36828-94A1-6192-9587-01000000CC01}53125568C:\Windows\explorer.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 734700x8000000000000000109967008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.640{3BF36828-97CC-6185-8400-00000000CC01}3664C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\WinTypes.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=AAA321C636929D23C58B5A78EDA04B61,SHA256=E33D62CC132B8D790B3604DBE227CD2A270E30C1B71881BB4E3B00732CE56E5C,IMPHASH=58F905117CF0434AF54A7CD9D43EEF30trueMicrosoft WindowsValid 10341000x8000000000000000109967007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.640{3BF36828-97CC-6185-8400-00000000CC01}36644584C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000109967006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.640{3BF36828-97CC-6185-8400-00000000CC01}36644584C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000109967005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.640{3BF36828-97CC-6185-8400-00000000CC01}36645916C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000109967004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.640{3BF36828-97CC-6185-8400-00000000CC01}36647148C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000109967003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.640{3BF36828-97CC-6185-8400-00000000CC01}36645916C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000109967002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.640{3BF36828-97CC-6185-8400-00000000CC01}36647148C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000109967001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.640{3BF36828-97CC-6185-8400-00000000CC01}36645916C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000109967000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.640{3BF36828-97CC-6185-8400-00000000CC01}36645916C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000109966999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.640{3BF36828-94A1-6192-9587-01000000CC01}53125244C:\Windows\explorer.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.640{3BF36828-94A1-6192-9587-01000000CC01}53125244C:\Windows\explorer.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109966997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.624{3BF36828-97CC-6185-8400-00000000CC01}3664C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\execmodelproxy.dll10.0.14393.0 (rs1_release.160715-1616)ExecModelProxyMicrosoft® Windows® Operating SystemMicrosoft CorporationExecModelProxy.dllMD5=A0251547D09C624F5E0FDFED5F14C834,SHA256=A6E167A77AC44A73323B8FF65E1FA2BAEDC0E092255F81FE041B35D40970FF90,IMPHASH=B1BB7A0B17604581DFBD9AE821306153trueMicrosoft WindowsValid 23542300x8000000000000000109966996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.624{3BF36828-94A2-6192-9887-01000000CC01}4180ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\2OZ2JCZ6\microsoft.windows[1].xmlMD5=E433428A67C24CCB48AA297713C5D450,SHA256=296CAA41F67255406EFF7103A12C50EB9E1A01577C2845784075ED29828EEA77,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109966995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.624{3BF36828-97CC-6185-8400-00000000CC01}3664C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\OneCoreCommonProxyStub.dll10.0.14393.2395 (rs1_release_inmarket.180714-1932)OneCore Common Proxy StubMicrosoft® Windows® Operating SystemMicrosoft CorporationOneCoreCommonProxyStub.dllMD5=02CEC1566FB0709923FF7A9FEC254D96,SHA256=81BED60AEB79C489E9F79996A3F0AB626E6CA247EBB656B6B9897C47A39F6AFB,IMPHASH=69A8B7E9F373278F52FE45A83CE3A380trueMicrosoft WindowsValid 10341000x8000000000000000109966994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.624{3BF36828-97CC-6185-8400-00000000CC01}36647148C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000109966993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.624{3BF36828-97CC-6185-8400-00000000CC01}36647148C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 734700x8000000000000000109966992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.624{3BF36828-97CC-6185-8400-00000000CC01}3664C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\twinapi.appcore.dll10.0.14393.4169 (rs1_release.210107-1130)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=B877C5BDEA2215B3D3CF89F645EB535C,SHA256=2F5468CC4277C8CB4B2AD1095AFC739ECAE0F0B6EE78E57BF64A97F3BDA54C19,IMPHASH=52DACB9FFE8B422785C607A5B88982C7trueMicrosoft WindowsValid 10341000x8000000000000000109966991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.624{3BF36828-97CC-6185-8400-00000000CC01}36645916C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000109966990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.624{3BF36828-97CC-6185-8400-00000000CC01}36645916C:\Windows\System32\RuntimeBroker.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 734700x8000000000000000109966989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.624{3BF36828-97CC-6185-8400-00000000CC01}3664C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207,IMPHASH=24160898971C9C6FED5AE429E3AAD3DAtrueMicrosoft WindowsValid 734700x8000000000000000109966988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.624{3BF36828-97CC-6185-8400-00000000CC01}3664C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\CoreMessaging.dll10.0.14393.3930Microsoft CoreMessaging DllMicrosoft® Windows® Operating SystemMicrosoft CorporationCoreMessaging.dllMD5=3D9D2F367587B2E93F2868F52D4ACBDD,SHA256=B4B27A7D4B9B685B6015D090B6A3E0E578AFBDE8D6C06A8F2E606A439D5A4BA4,IMPHASH=92CA7117B99353AC45978E95EEB5A46DtrueMicrosoft WindowsValid 10341000x8000000000000000109966987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.624{3BF36828-94A1-6192-9587-01000000CC01}53121920C:\Windows\explorer.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.624{3BF36828-94A1-6192-9587-01000000CC01}53121920C:\Windows\explorer.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.624{3BF36828-94A1-6192-9587-01000000CC01}53125244C:\Windows\explorer.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109966984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.624{3BF36828-97CC-6185-8400-00000000CC01}3664C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\ExecModelClient.dll10.0.14393.4169 (rs1_release.210107-1130)ExecModelClientMicrosoft® Windows® Operating SystemMicrosoft CorporationExecModelClient.dllMD5=178BCB2B937C94CA144C326FD678A322,SHA256=932D0710FD612EDBE2D0433ABE294AD17D23CB8D43DE7F4CD8E01C58D279C1CE,IMPHASH=B1099E1B098B6F4C7DC6D071206DFC70trueMicrosoft WindowsValid 10341000x8000000000000000109966983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.624{3BF36828-94A1-6192-9587-01000000CC01}53125244C:\Windows\explorer.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.234{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-26CD-6193-FE98-01000000CC01}6988C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.234{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-26CD-6193-FE98-01000000CC01}6988C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.234{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-26CD-6193-FE98-01000000CC01}6988C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.234{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-26CD-6193-FE98-01000000CC01}6988C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.234{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-26CD-6193-FE98-01000000CC01}6988C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000109966977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.187{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=086CC994A10FEF483426E3594E3A89C5,SHA256=55C1D06997B2CA90F6A52273267CF574F0A4DF30B8A296A47A3B5F7371811CEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.187{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F382AED19FEBA2B359AADABE1CBA28E3,SHA256=335E90083CB2A271C4EDA2422CF26D3ACFAC018A7029BC80815A067D957BFF6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109966975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.046{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC5B9C1BE84689357C67F1F7CF02511F,SHA256=72EF59A65526A6B92AFAA89E35D6804CD06A62A6E47E6DE436AF2AF1DB63815F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109966974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.015{3BF36828-26CD-6193-FE98-01000000CC01}6988C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109966973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.015{3BF36828-26CD-6193-FE98-01000000CC01}6988C:\Windows\System32\dllhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000109966972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.015{3BF36828-26CD-6193-FE98-01000000CC01}6988C:\Windows\System32\dllhost.exeC:\Windows\System32\indexeddbserver.dll10.0.14393.4169 (rs1_release.210107-1130)IndexedDb hostMicrosoft® Windows® Operating SystemMicrosoft Corporationindexeddb.DLLMD5=C137C0628B2EE5F6703F2D9770E4F128,SHA256=862C55A237F523E0919348D42CDB57D204555C05FA84E32D77ACB4778F6AEC94,IMPHASH=F2930DCF8E4EC6905600CC18B9275F1FtrueMicrosoft WindowsValid 10341000x8000000000000000109966971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.015{3BF36828-9799-6185-1600-00000000CC01}12721960C:\Windows\system32\svchost.exe{3BF36828-26CD-6193-FE98-01000000CC01}6988C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109966970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.015{3BF36828-9799-6185-1600-00000000CC01}12721324C:\Windows\system32\svchost.exe{3BF36828-26CD-6193-FE98-01000000CC01}6988C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109966969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.015{3BF36828-26CD-6193-FE98-01000000CC01}6988C:\Windows\System32\dllhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000109966968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.015{3BF36828-26CD-6193-FE98-01000000CC01}6988C:\Windows\System32\dllhost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x8000000000000000109966967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.015{3BF36828-9799-6185-0C00-00000000CC01}8446904C:\Windows\system32\svchost.exe{3BF36828-26CD-6193-FE98-01000000CC01}6988C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109966966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.999{3BF36828-26CD-6193-FE98-01000000CC01}6988C:\Windows\System32\dllhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000109966965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.999{3BF36828-26CD-6193-FE98-01000000CC01}6988C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109966964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.999{3BF36828-26CD-6193-FE98-01000000CC01}6988C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109966963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.999{3BF36828-26CD-6193-FE98-01000000CC01}6988C:\Windows\System32\dllhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109966962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.999{3BF36828-26CD-6193-FE98-01000000CC01}6988C:\Windows\System32\dllhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000109966961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.999{3BF36828-26CD-6193-FE98-01000000CC01}6988C:\Windows\System32\dllhost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x8000000000000000109966960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.999{3BF36828-26CD-6193-FE98-01000000CC01}6988C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000109966959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.999{3BF36828-26CD-6193-FE98-01000000CC01}6988C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000109966958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.999{3BF36828-26CD-6193-FE98-01000000CC01}6988C:\Windows\System32\dllhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109966957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.999{3BF36828-26CD-6193-FE98-01000000CC01}6988C:\Windows\System32\dllhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000109966956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.999{3BF36828-26CD-6193-FE98-01000000CC01}6988C:\Windows\System32\dllhost.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109966955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.999{3BF36828-26CD-6193-FE98-01000000CC01}6988C:\Windows\System32\dllhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x8000000000000000109966954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.999{3BF36828-97C9-6185-7D00-00000000CC01}49685004C:\Windows\system32\csrss.exe{3BF36828-26CD-6193-FE98-01000000CC01}6988C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x8000000000000000109966953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.999{3BF36828-26CD-6193-FE98-01000000CC01}6988C:\Windows\System32\dllhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000109966952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.999{3BF36828-26CD-6193-FE98-01000000CC01}6988C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000109966951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.999{3BF36828-26CD-6193-FE98-01000000CC01}6988C:\Windows\System32\dllhost.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109966950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:37.999{3BF36828-26CD-6193-FE98-01000000CC01}6988C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E,IMPHASH=1C99A7F1249FB0C7B924253B69E59F88trueMicrosoft WindowsValid 23542300x800000000000000056917251Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:39.548{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F1684F87DC5F5C466855D126BE7B5EA,SHA256=A5ED797A8E0A00524A7A43783E1D92B93E7A6DCD8E2F471B4447FA17FB0105EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109967171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:51.406{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58720-false10.0.1.12-8000- 10341000x8000000000000000109967170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:39.312{3BF36828-9799-6185-0C00-00000000CC01}8442660C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000109967169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:39.312{3BF36828-9799-6185-0C00-00000000CC01}8442660C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000109967168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:39.312{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000109967167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:39.312{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000109967166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:39.312{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000109967165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:39.312{3BF36828-97CC-6185-8500-00000000CC01}36604404C:\Windows\system32\sihost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:39.265{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000109967163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:39.265{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000109967162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:39.265{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000109967161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:39.265{3BF36828-97A9-6185-3100-00000000CC01}2196876C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000109967160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:39.265{3BF36828-97A9-6185-3100-00000000CC01}2196876C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000109967159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:39.234{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:39.234{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:39.234{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:39.234{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:39.234{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-26CE-6193-FF98-01000000CC01}5016C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:39.234{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-26CE-6193-FF98-01000000CC01}5016C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:39.234{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-26CE-6193-FF98-01000000CC01}5016C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:39.234{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-26CE-6193-FF98-01000000CC01}5016C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:39.234{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-26CE-6193-FF98-01000000CC01}5016C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000109967150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:39.030{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0868A03800239ECD65E634101B58B28,SHA256=622B47A147F8BD4136B0F4FD6B5B467A571276417DB11BEB2F9666D71815B4B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109967149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:39.015{3BF36828-26CE-6193-FF98-01000000CC01}5016C:\Windows\System32\cmd.exeC:\Windows\System32\winbrand.dll10.0.14393.2515 (rs1_release_1.180830-1044)Windows Branding ResourcesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinbrand.dllMD5=CDA73668510FF0BA02967236A857CE7B,SHA256=24ADC4950116C2E3994450465B305D469B78F687EAADCBC167A8C4ECD4907306,IMPHASH=2C424150D7AE913E28B879B06042C9F2trueMicrosoft WindowsValid 734700x8000000000000000109967148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:39.015{3BF36828-26CE-6193-FF98-01000000CC01}5016C:\Windows\System32\cmd.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000109967147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:39.015{3BF36828-94A1-6192-9587-01000000CC01}53126852C:\Windows\explorer.exe{3BF36828-26CE-6193-FF98-01000000CC01}5016C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:39.015{3BF36828-94A1-6192-9587-01000000CC01}53126852C:\Windows\explorer.exe{3BF36828-26CE-6193-FF98-01000000CC01}5016C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:39.015{3BF36828-97CC-6185-8700-00000000CC01}22164832C:\Windows\system32\taskhostw.exe{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.999{3BF36828-97CC-6185-8700-00000000CC01}22164832C:\Windows\system32\taskhostw.exe{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.999{3BF36828-94A1-6192-9587-01000000CC01}53122740C:\Windows\explorer.exe{3BF36828-26CE-6193-FF98-01000000CC01}5016C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+f744|C:\Windows\explorer.exe+1e118|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.999{3BF36828-94A1-6192-9587-01000000CC01}53122740C:\Windows\explorer.exe{3BF36828-26CE-6193-FF98-01000000CC01}5016C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+f744|C:\Windows\explorer.exe+1e118|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109967141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.999{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\System32\conhost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 10341000x8000000000000000109967140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.999{3BF36828-94A1-6192-9587-01000000CC01}53122740C:\Windows\explorer.exe{3BF36828-26CE-6193-FF98-01000000CC01}5016C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.999{3BF36828-94A1-6192-9587-01000000CC01}53122740C:\Windows\explorer.exe{3BF36828-26CE-6193-FF98-01000000CC01}5016C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.999{3BF36828-94A1-6192-9587-01000000CC01}53122740C:\Windows\explorer.exe{3BF36828-26CE-6193-FF98-01000000CC01}5016C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\explorer.exe+1f054|C:\Windows\explorer.exe+1f000|C:\Windows\explorer.exe+1dfec|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.999{3BF36828-94A1-6192-9587-01000000CC01}53125968C:\Windows\explorer.exe{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.999{3BF36828-94A1-6192-9587-01000000CC01}53125968C:\Windows\explorer.exe{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.999{3BF36828-94A1-6192-9587-01000000CC01}53125968C:\Windows\explorer.exe{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.999{3BF36828-94A1-6192-9587-01000000CC01}53125968C:\Windows\explorer.exe{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109967133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.999{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\System32\conhost.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x8000000000000000109967132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:38.999{3BF36828-26CE-6193-0099-01000000CC01}1308C:\Windows\System32\conhost.exeC:\Windows\System32\msctf.dll10.0.14393.4225 (rs1_release.210127-1811)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=1FD254D30743876981194F7E17ECDB6F,SHA256=0CB67AC140097A888B7ED85C9A31F8967D16661B82557CE5D61FA70A85BDF8B8,IMPHASH=BC8DDE4D2412D48001350313FD2B7840trueMicrosoft WindowsValid 354300x800000000000000056917253Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:30.028{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50013-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000056917252Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:40.580{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45D2460A2D6E7F583B551C8107B01A2B,SHA256=D4E0628D52BB6B571797B7D712E51C095C56709F3315802000F20042814BAB61,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109967183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.984{3BF36828-26D0-6193-0199-01000000CC01}6760C:\Windows\System32\cmd.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000109967182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.984{3BF36828-26D0-6193-0199-01000000CC01}6760C:\Windows\System32\cmd.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109967181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.984{3BF36828-26D0-6193-0199-01000000CC01}6760C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37AtrueMicrosoft WindowsValid 10341000x8000000000000000109967180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.984{3BF36828-9799-6185-0C00-00000000CC01}8442660C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.984{3BF36828-9799-6185-0C00-00000000CC01}8442660C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.984{3BF36828-9799-6185-0C00-00000000CC01}8442660C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.984{3BF36828-9799-6185-0C00-00000000CC01}8442660C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.984{3BF36828-97C9-6185-7D00-00000000CC01}49685004C:\Windows\system32\csrss.exe{3BF36828-26D0-6193-0199-01000000CC01}6760C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000109967175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.984{3BF36828-26CE-6193-FF98-01000000CC01}5016896C:\Windows\system32\cmd.exe{3BF36828-26D0-6193-0199-01000000CC01}6760C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000109967174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.996{3BF36828-26D0-6193-0199-01000000CC01}6760C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd /c powershell.exe [activator]::CreateInstance([type]::GetTypeFromProgID(‘MMC20.application’,’10.0.1.15’)).Document.ActiveView.ExecuteShellCommand(‘c:\windows\system32\calc.exe’, $null, $null, ‘7’)C:\Users\Administrator\ATTACKRANGE\Administrator{3BF36828-97CB-6185-F909-080000000000}0x809f92HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{3BF36828-26CE-6193-FF98-01000000CC01}5016C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x8000000000000000109967173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.171{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36F15EF918E5B93C42BD2089E2FF6271,SHA256=3B9B3B97071BFA435877C0AC12BFCF402EF03FACB8C3B2713A198FA5AD672541,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109967172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.171{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=086CC994A10FEF483426E3594E3A89C5,SHA256=55C1D06997B2CA90F6A52273267CF574F0A4DF30B8A296A47A3B5F7371811CEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056917292Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:41.908{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917291Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:41.908{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917290Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:41.908{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917289Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:41.908{B81B27B7-2343-6193-0500-00000000CB01}416432C:\Windows\system32\csrss.exe{B81B27B7-26D1-6193-3501-00000000CB01}4320C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056917288Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:41.908{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917287Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:41.908{B81B27B7-26D1-6193-3401-00000000CB01}30245240C:\windows\system32\calc.exe{B81B27B7-26D1-6193-3501-00000000CB01}4320C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e61f|C:\Windows\System32\windows.storage.dll+16e295|C:\Windows\System32\windows.storage.dll+16dd86|C:\Windows\System32\windows.storage.dll+16f1f8|C:\Windows\System32\windows.storage.dll+16dbae|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\windows.storage.dll+1664ae|C:\Windows\System32\windows.storage.dll+1661a2|C:\Windows\System32\SHELL32.dll+90ee1|C:\Windows\System32\SHELL32.dll+8fd46|C:\Windows\System32\SHELL32.dll+d0c11|C:\Windows\System32\SHELL32.dll+b6e2e|C:\Windows\System32\SHELL32.dll+8ebd3|C:\Windows\System32\SHELL32.dll+8ea9b|C:\Windows\System32\SHELL32.dll+8e3b7|C:\Windows\System32\SHELL32.dll+6c57e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 154100x800000000000000056917286Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:41.902{B81B27B7-26D1-6193-3501-00000000CB01}4320C:\Windows\System32\win32calc.exe10.0.14393.0 (rs1_release.160715-1616)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationWIN32CALC.EXE"C:\Windows\System32\win32calc.exe" C:\Windows\system32\ATTACKRANGE\Administrator{B81B27B7-26D1-6193-0C61-180000000000}0x18610c0HighMD5=B31A19BA38F110838119299B50517073,SHA256=D7B378A4BC4DEAE748462D216D14A20CCB1BAC1D3FFBC67711DB2CC1D8B182B7,IMPHASH=83A6FF176255FE0F3F902360860DA5F8{B81B27B7-26D1-6193-3401-00000000CB01}3024C:\Windows\System32\calc.exe"C:\windows\system32\calc.exe" 10341000x800000000000000056917285Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:41.892{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2344-6193-0E00-00000000CB01}836C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917284Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:41.892{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2344-6193-0E00-00000000CB01}836C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917283Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:41.892{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2344-6193-0E00-00000000CB01}836C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917282Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:41.877{B81B27B7-2343-6193-0C00-00000000CB01}652736C:\Windows\system32\lsass.exe{B81B27B7-26D1-6193-3401-00000000CB01}3024C:\windows\system32\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917281Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:41.877{B81B27B7-2343-6193-0C00-00000000CB01}652736C:\Windows\system32\lsass.exe{B81B27B7-26D1-6193-3401-00000000CB01}3024C:\windows\system32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917280Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:41.877{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2344-6193-0E00-00000000CB01}836C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917279Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:41.877{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2344-6193-0E00-00000000CB01}836C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917278Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:41.877{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2344-6193-0E00-00000000CB01}836C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917277Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:41.830{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2344-6193-0E00-00000000CB01}836C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917276Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:41.830{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2344-6193-0E00-00000000CB01}836C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917275Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:41.830{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2344-6193-0E00-00000000CB01}836C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917274Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:41.830{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-26D1-6193-3401-00000000CB01}3024C:\windows\system32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917273Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:41.752{B81B27B7-25AA-6193-FB00-00000000CB01}53605264C:\Windows\system32\svchost.exe{B81B27B7-26D1-6193-3401-00000000CB01}3024C:\windows\system32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114e56|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917272Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:41.720{B81B27B7-2343-6193-0C00-00000000CB01}652708C:\Windows\system32\lsass.exe{B81B27B7-233F-6193-0100-00000000CB01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000056917271Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:41.720{B81B27B7-2343-6193-0C00-00000000CB01}652708C:\Windows\system32\lsass.exe{B81B27B7-2344-6193-1700-00000000CB01}1176C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917270Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:41.720{B81B27B7-2343-6193-0C00-00000000CB01}652708C:\Windows\system32\lsass.exe{B81B27B7-2344-6193-1700-00000000CB01}1176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917269Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:41.720{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917268Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:41.720{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917267Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:41.720{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917266Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:41.720{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917265Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:41.720{B81B27B7-2343-6193-0500-00000000CB01}416780C:\Windows\system32\csrss.exe{B81B27B7-26D1-6193-3401-00000000CB01}3024C:\windows\system32\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056917264Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:41.720{B81B27B7-26D1-6193-3301-00000000CB01}41084832C:\Windows\system32\mmc.exe{B81B27B7-26D1-6193-3401-00000000CB01}3024C:\windows\system32\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e61f|C:\Windows\System32\windows.storage.dll+16e295|C:\Windows\System32\windows.storage.dll+16dd86|C:\Windows\System32\windows.storage.dll+16f1f8|C:\Windows\System32\windows.storage.dll+16dbae|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\SHELL32.dll+8e49f|C:\Windows\System32\SHELL32.dll+8e32c|C:\Windows\System32\SHELL32.dll+6c57e|C:\Windows\System32\SHCORE.DLL+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056917263Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:41.722{B81B27B7-26D1-6193-3401-00000000CB01}3024C:\Windows\System32\calc.exe10.0.14393.4169 (rs1_release.210107-1130)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXE"C:\windows\system32\calc.exe" C:\Windows\system32\ATTACKRANGE\Administrator{B81B27B7-26D1-6193-0C61-180000000000}0x18610c0HighMD5=2A5CC198FEFC04C2B6B95207A91D3668,SHA256=04FA16D1FBB5F047E7BF9756E8DDC1365AFEAAB22DD4A2C3F03E067B75BED8EA,IMPHASH=3843C3D4A5A7D1045ABE9A4BFCFAAB28{B81B27B7-26D1-6193-3301-00000000CB01}4108C:\Windows\System32\mmc.exeC:\Windows\system32\mmc.exe -Embedding 23542300x800000000000000056917262Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:41.595{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5B2416A839B5E98C6E202DF1F8AA693,SHA256=901D9F4414BDC549F557F227B976C55F64BD6139DDCBC5445BE8C4A48E210F43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109967298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.984{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1576A9F65ACDB005A6856078D43037C5,SHA256=D6208F250BDD5CECC7909E39DEE7234C524932B194049A3880E3B43748D2FAC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109967297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.749{3BF36828-26D1-6193-0299-01000000CC01}1604ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109967296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.577{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0,IMPHASH=FED414075FF3F23F21C898B1860393B4trueMicrosoft WindowsValid 734700x8000000000000000109967295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.562{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202,IMPHASH=0E9C1FA273A5EFD763FAC8E145B20C80trueMicrosoft WindowsValid 734700x8000000000000000109967294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.562{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\NtlmShared.dll10.0.14393.3269 (rs1_release.190929-1234)NTLM Shared FunctionalityMicrosoft® Windows® Operating SystemMicrosoft CorporationNtlmShared.dllMD5=99F4D90B3ED53855C06F856006E770D1,SHA256=A95E5823B68182C4E32CB783AD23BC4FF60690001C70E6B5E920C12740C4C37C,IMPHASH=36FD662FB3EF657597E485F3FC734A67trueMicrosoft WindowsValid 734700x8000000000000000109967293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.562{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\msv1_0.dll10.0.14393.3866 (rs1_release.200805-1327)Microsoft Authentication Package v1.0Microsoft® Windows® Operating SystemMicrosoft CorporationMSV1_0.DLLMD5=2A725546D9B1F9DB4974A2EA4225D0A8,SHA256=46AD1AC8C7DB7D21E8F41EFC734B855CEE566CB58F8FB825775490DC5DE89C94,IMPHASH=A243271C363636A670D5D150D4D338C9trueMicrosoft WindowsValid 23542300x8000000000000000109967292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.343{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05EE351563575D32939A16FC3B7F7F9F,SHA256=01EA44E9B7350C6A4D69EAF3552A1EEABB9D6CE98A04BBF4FA22D1CB2CBF64EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109967291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.312{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB4C47D4006A38EF0928F1976CE713FC,SHA256=77EFC15397DC050107928D9EC840FB590FC7C5F5DAE8A79148F9E4730E2BB99F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000109967290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.234{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.234{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.234{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.234{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.234{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.234{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-26D0-6193-0199-01000000CC01}6760C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.234{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-26D0-6193-0199-01000000CC01}6760C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.234{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-26D0-6193-0199-01000000CC01}6760C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.234{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-26D0-6193-0199-01000000CC01}6760C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.234{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-26D0-6193-0199-01000000CC01}6760C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000056917261Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:41.564{B81B27B7-26D1-6193-3301-00000000CB01}4108C:\Windows\System32\mmc.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 17141700x800000000000000056917260Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-CreatePipe2021-11-16 03:34:41.517{B81B27B7-26D1-6193-3301-00000000CB01}4108\Winsock2\CatalogChangeListener-100c-0C:\Windows\system32\mmc.exe 10341000x800000000000000056917259Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:41.173{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917258Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:41.173{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917257Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:41.173{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917256Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:41.173{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056917255Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:41.160{B81B27B7-26D1-6193-3301-00000000CB01}4108C:\Windows\System32\mmc.exe10.0.14393.4169 (rs1_release.210107-1130)Microsoft Management ConsoleMicrosoft® Windows® Operating SystemMicrosoft Corporationmmc.exeC:\Windows\system32\mmc.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{B81B27B7-26D1-6193-0C61-180000000000}0x18610c0HighMD5=495BFF5AE1B52661212BB65F1CFDA718,SHA256=A08EC9D2F811726BDCD71F7C5B40CDB543D092C11811A45180E569FE3F62124D,IMPHASH=ED5A55DAB5A02F29D6EE7E0015F91A9F{B81B27B7-2344-6193-0D00-00000000CB01}760C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x800000000000000056917254Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:41.017{B81B27B7-2344-6193-1400-00000000CB01}716NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=61B9450FC39BF176FD8B2C187BD986A7,SHA256=4D35C83051D41D909BFF4A02AE2DD3CDB14A2B2EE5A188A545D8E802E607BF67,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000109967280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.124{3BF36828-9799-6185-1600-00000000CC01}12721960C:\Windows\system32\svchost.exe{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.124{3BF36828-9799-6185-1600-00000000CC01}12721324C:\Windows\system32\svchost.exe{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109967278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.124{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000109967277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.093{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.CSharp\9311b6c382518fe61794f144e07fef90\Microsoft.CSharp.ni.dll4.8.3761.0Microsoft.CSharp.dllMicrosoft® .NET FrameworkMicrosoft CorporationMicrosoft.CSharp.dllMD5=128DC0E19146F3415EED062CD2449C39,SHA256=56E0DB54E0C651DF6FEDF2C0E8B6F7CC3EA0EC845945628FA9A89F59F80CE85A,IMPHASH=00000000000000000000000000000000false-Unavailable 10341000x8000000000000000109967276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.077{3BF36828-9797-6185-0B00-00000000CC01}6365288C:\Windows\system32\lsass.exe{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.077{3BF36828-9797-6185-0B00-00000000CC01}6365288C:\Windows\system32\lsass.exe{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109967274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.077{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000109967273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.077{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000109967272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.077{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\7e9b84127ece5956cbef3f95dfa8a55e\System.Configuration.ni.dll4.8.4190.0 built by: NET48REL1LAST_BSystem.Configuration.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.dllMD5=12950C8D0928F444819D240FAA6FC20A,SHA256=4E632944A41A907E9446ED145D5D74CD082ECC55A643CD917324B1463615981E,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x8000000000000000109967271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.077{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft Corporationsystem.transactions.dllMD5=D17E11DDF716089AF736DBA7C4F24C75,SHA256=DF301F2F2A735A1A75EAE79E64CCFDAD335E319B98316E9E875F726FA2CB51D5,IMPHASH=1C67DA46DE146D5C03F7C75A4E4CCCA4trueMicrosoft CorporationValid 734700x8000000000000000109967270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.077{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Transactions\2f95aa5c70f2368529871c6f84d442b0\System.Transactions.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft Corporationsystem.transactions.dllMD5=0EE7D88EB9897F293EBF4BC507806DC3,SHA256=495B40C5929C8617CD3C88D4D600E53D39F8FF9AF5CB0C310C5D5020722AC76E,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x8000000000000000109967269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.077{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f792626#\575405053a07a343d01cf81e4414a0d5\Microsoft.PowerShell.Security.ni.dll10.0.14393.2848Microsoft Windows PowerShell Management CommandsMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMicrosoft.PowerShell.Security.dllMD5=E38B049565C61043DEAE2F479E5A1826,SHA256=A0C597A54EEE6FC1075158F58DCBEA5921DFA24F654C2A7E656928AAE8F27EC9,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x8000000000000000109967268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.077{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll4.8.4350.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationclrjit.dllMD5=C018D3F757D7E3057B71D38FCB390D1A,SHA256=BF63BB7CA92F9EE37F7447FDDC1097AF68EFBEC460701C505AC17165CE095317,IMPHASH=9F2B44B648DE13A18C1ABC07250B85C2trueMicrosoft CorporationValid 17141700x8000000000000000109967267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-CreatePipe2021-11-16 03:34:41.062{3BF36828-26D1-6193-0299-01000000CC01}1604\PSHost.132815072810033044.1604.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000109967266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.046{3BF36828-26D1-6193-0299-01000000CC01}1604ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_dhxw5cug.kse.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109967265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.046{3BF36828-26D1-6193-0299-01000000CC01}1604ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ozkekd2b.ysh.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109967264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.046{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000109967263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.046{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll4.8.4290.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft Corporationsystem.data.dllMD5=FD7801997C3D60A432EAC5A08DF42C37,SHA256=E27CFC72999B8AB72BB0EAF1B75F13826C644CAF2F97980CC4A3AD3FE2D98BBE,IMPHASH=9FE0ED33D42CDA291AE72F170DE4D48FtrueMicrosoft CorporationValid 734700x8000000000000000109967262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.046{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll10.0.14393.0 (rs1_release.160715-1616)Crypto SIP provider for signing and verifying PowerShell script files (.ps1/.ps1xml)Microsoft® Windows® Operating SystemMicrosoft Corporationpwrshsip.dllMD5=5366DEE11C59571EC48B56020E8949DE,SHA256=EE5CDBEDA2067413ACB7B5E7B4AF53B40336148CA104D1671212B43737EB348C,IMPHASH=C93A45A26AACEA8208AA325C281035F0trueMicrosoft WindowsValid 734700x8000000000000000109967261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.046{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data\f27dd71df7a6fe3f43a9e7a7c4e1870c\System.Data.ni.dll4.8.4290.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft Corporationsystem.data.dllMD5=61AABBC2DA61D27A6D495660705B81C7,SHA256=A745A2336F2B74CAC1CDFD056BDDECB0905EDBB40E6B8A3FAEC603D8909D3932,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x8000000000000000109967260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.046{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\iertutil.dll11.00.14393.4283 (rs1_release.210303-1802)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=5541A4A7FB64063F8AFB192ABD4DAE70,SHA256=AABF2E6C392F29B77F076BF705976B68B3100138BC63060335BD154B8417754D,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x8000000000000000109967259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.046{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\urlmon.dll11.00.14393.4402 (rs1_release.210426-1725)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=3562767F9C1D8359A735D4F64A9733F5,SHA256=7E60D82C417779D316000AD376BE9BA2CD14728616F35289E34E47CC6839620B,IMPHASH=198DE5B70ABFFE7B73AD088D655B26D1trueMicrosoft WindowsValid 734700x8000000000000000109967258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.046{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 734700x8000000000000000109967257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.046{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\OpcServices.dll10.0.14393.2848 (rs1_release.190305-1856)Native Code OPC Services LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationOpcServices.dllMD5=991F8CCB43104DE3BD6E24A4D2BF870D,SHA256=8187C096A269D20742DEC9B651536F1C7A354D114B176179B1F4E090BB28E1F2,IMPHASH=F5D44AC1D5D2912F6B871FE7D5604CEDtrueMicrosoft WindowsValid 734700x8000000000000000109967256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.046{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\AppxSip.dll10.0.14393.4169 (rs1_release.210107-1130)Appx Subject Interface PackageMicrosoft® Windows® Operating SystemMicrosoft CorporationAppxSip.dllMD5=33AEB645167296EFE22E1BB64B63CBFC,SHA256=6E2B948F3CD7EEC6D9A9A864476F074FB5876E397916FF81A39B23976489AB52,IMPHASH=B062C097D0B3B0DCCA3ECC898B231E28trueMicrosoft WindowsValid 734700x8000000000000000109967255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.046{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\gpapi.dll10.0.14393.3986 (rs1_release.201002-1707)Group Policy Client APIMicrosoft® Windows® Operating SystemMicrosoft Corporationgpapi.dllMD5=601EDCF334B3DA561BE85560BFAB4831,SHA256=69422D4F7B2E9673178761052D25718F2F1F1D7D5B0962798ECAC66C123FB207,IMPHASH=54A7A105E11720BE50C587CF0CFA8828trueMicrosoft WindowsValid 734700x8000000000000000109967254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.046{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=BA425FEBA35E20778ADB8FAF7268D8A0,SHA256=3A2F8057B4312BE9389CB86C8C3FA8BA3A590E3CE811AB163D77159DB095AA41,IMPHASH=EE821B7DB352A29DF6636AEB059E4519trueMicrosoft WindowsValid 734700x8000000000000000109967253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.046{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BF,IMPHASH=B74E4EE6BBCE405BE73914241C9AF2C8trueMicrosoft WindowsValid 734700x8000000000000000109967252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.046{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\msisip.dll5.0.14393.4350 (rs1_release.210407-2154)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=D847084F61752DB23D027FFC3CBEF8F7,SHA256=2061D01C7612A6010BDD83E0BB339A1040C8077595AD7A51C9E3ADC4B501B4BF,IMPHASH=9990E8AE89385588C988664086E258E7trueMicrosoft WindowsValid 734700x8000000000000000109967251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.046{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\7c15c0d49f69b195572210a91515a305\System.Numerics.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Numerics.dllMD5=FB48DD495E0C1B432B779F052C904198,SHA256=140191FC7F155C273137E4264FB483A447E8729D6DB4BAA4CFF26A2FC14032A6,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x8000000000000000109967250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.046{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Dired13b18a9#\6407bb4cdc58ba68ef2c36cac992bb13\System.DirectoryServices.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.DirectoryServices.dllMD5=641F05E9C8B91F3749B5B10EAD8FE355,SHA256=0A5B63DDFC9354EB938032ECE430C8E354B5514295E1AEBA0BB72C4101AB9F63,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x8000000000000000109967249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.046{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\7eae5eedf8e36fc45dfa64fb5ef57800\System.Management.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Management.dllMD5=C620EB6B299FF57B152A3EBE1A1722CE,SHA256=5384A6D764DC88C60E88D56B6F22E63590833A36FBC53019A9C77B7DD481A97B,IMPHASH=00000000000000000000000000000000false-Unavailable 11241100x8000000000000000109967248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.046{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ozkekd2b.ysh.ps12021-11-16 03:34:41.046 734700x8000000000000000109967247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.046{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\8669a211d52b8e32a013f701cf258498\System.Xml.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=95552B7B0E2A11F5D37F688EA58B8A48,SHA256=3201135130FC524715E99FD0790F10E35D807DD2EFCD23E01A075367A890838B,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x8000000000000000109967246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.046{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4,IMPHASH=334E5331674424695F9872596E2677C7trueMicrosoft WindowsValid 734700x8000000000000000109967245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.046{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405#\db8de3644c2a4247c359e249605c0c6e\Microsoft.Management.Infrastructure.ni.dll10.0.14393.4046csMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMicrosoft.Management.Infrastructure.dllMD5=FECA45C4030F9BB02E5DC9B767B467D2,SHA256=087C70E71D22C20F56CB488318637477CFBC40428BE0289D5192FC920EFA0B88,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x8000000000000000109967244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.046{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FA,IMPHASH=5BAA515B293A764CA06512D078C4E624trueMicrosoft WindowsValid 734700x8000000000000000109967243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.046{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000109967242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.046{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\wintrust.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=D8CD8451D1E194230F18866AD6EFE5E7,SHA256=9977AA1287962035C24DF806DDA67F09FFE9BDF696DBA507D749C624AE1C178D,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x8000000000000000109967241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.030{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131,IMPHASH=6FEE5278940E0EA644D3641165D77874trueMicrosoft WindowsValid 734700x8000000000000000109967240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.030{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000109967239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.030{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000109967238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.030{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000109967237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.030{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000109967236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.030{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000109967235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.030{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 10341000x8000000000000000109967234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.030{3BF36828-9799-6185-0C00-00000000CC01}8442660C:\Windows\system32\svchost.exe{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109967233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.030{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x8000000000000000109967232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.030{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll10.0.14393.4402System.Management.AutomationMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationSystem.Management.Automation.dllMD5=95984DDC6D6E07F7857F67665CF641D2,SHA256=D82F05DD031434B9B4FBAB776CA2B5314B6227B0238D0CEAA3EA1CAA1E9A38B4,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x8000000000000000109967231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.015{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000109967230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.015{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000109967229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.015{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000109967228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.015{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000109967227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.015{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\b0d874d23024f5523b48f1bf048c360e\Microsoft.PowerShell.ConsoleHost.ni.dll10.0.14393.3866Microsoft.PowerShell.ConsoleHostMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMicrosoft.PowerShell.ConsoleHost.dllMD5=43C14AC1DF60AAC345581CE7F032E759,SHA256=1A47981B1380E4F4149C0984978999A784B6830544FA11715783F0D93EB0F6DE,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x8000000000000000109967226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.015{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\3d5542bc1617cc46fbb5455ad9b06b67\System.Core.ni.dll4.8.4350.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Core.dllMD5=76064947B3DDD46B1AE18CDE5E5D4DC0,SHA256=444C2B365FAFC16BBDC26E8C5D2C8B4352B3F16B63E0092F6989894B536359C2,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x8000000000000000109967225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.015{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll4.8.4311.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=6CBC81BAC24DB72678EDD32BC2F6777E,SHA256=1EB3B3F40CC5DA4214FED6361009A818F25575CE2D22FDFD1D95D67085C37F4C,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x8000000000000000109967224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.015{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll4.8.4350.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=83AC6604E968E03B3CA0F949A3A9D0EC,SHA256=F7B9A431E58DE2663CE1E2F9E06BC88D09FF6262F2D49CB8398604D40B073378,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x8000000000000000109967223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.015{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=1AF6CD8B7CE4A852F67AA98C71AA1D26,SHA256=EF0DE008500A8C9C7908383AF11AE55845EBBE28C96C013EA720950BA89D3D28,IMPHASH=A90D5BC867A86FBF8F4557CE6F216093trueMicrosoft WindowsValid 734700x8000000000000000109967222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.015{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ucrtbase_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationucrtbase_clr0400.dllMD5=F8F171BE1820544E15B555847005355C,SHA256=CDDF9A2BF085AE59BA464B3BA6394AACFC342DA5F17D77FD5306054C8AABF153,IMPHASH=0524DC27AA10ADA72FFB6F88F5FD8829trueMicrosoft CorporationValid 734700x8000000000000000109967221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.015{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\vcruntime140_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140_clr0400.dllMD5=63936588122BDEE9624D02CE3F8F54EA,SHA256=21F7E6165CE8DD92DB8CDF48CEE83DE64B2B0807B7B499CF87678B70C6F8C32F,IMPHASH=CD244BF7A749BF0B13E038D2EE842BFCtrueMicrosoft CorporationValid 734700x8000000000000000109967220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.015{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll4.8.4350.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationclr.dllMD5=C18829F26EA42DB768E009F898D8EF00,SHA256=4CDD240CECF8B403800DBE363E2189622BD7FC69CA1867AC5C3E61210D8E0E49,IMPHASH=2BC2B098BC197051D6B424CC7B54426FtrueMicrosoft CorporationValid 734700x8000000000000000109967219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.015{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000109967218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.015{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000109967217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.999{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000109967216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.999{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45E,IMPHASH=005299FA213F652A596AC31760C5340BtrueMicrosoft CorporationValid 734700x8000000000000000109967215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.999{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000109967214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.999{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBC,IMPHASH=12E8F895FFFE1065F24D148EC1ED3096trueMicrosoft WindowsValid 734700x8000000000000000109967213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.999{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109967212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.999{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109967211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.999{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000109967210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.999{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109967209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.999{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109967208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.999{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109967207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.999{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109967206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.999{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000109967205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.999{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109967204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.999{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\atl.dll3.05.2284ATL Module for Windows XP (Unicode)Microsoft (R) Visual C++Microsoft CorporationATL.DLLMD5=C1B73181019C1E1F28F4161B5F198B7F,SHA256=C3678504437D23910C18D3680B05B4E819A2229BDD0E1E0567186C70D814560D,IMPHASH=5500EF6AAEED0FAA2DE0F3B65E67DE20trueMicrosoft WindowsValid 734700x8000000000000000109967203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.999{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000109967202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.999{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000109967201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.999{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109967200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.999{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000109967199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.999{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000109967198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.999{3BF36828-26CE-6193-0099-01000000CC01}13086920C:\Windows\system32\conhost.exe{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109967197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.999{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000109967196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.999{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000109967195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.999{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109967194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.999{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453trueMicrosoft WindowsValid 10341000x8000000000000000109967193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.999{3BF36828-9799-6185-0C00-00000000CC01}8442660C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.999{3BF36828-9799-6185-0C00-00000000CC01}8442660C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.999{3BF36828-9799-6185-0C00-00000000CC01}8442660C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.999{3BF36828-9799-6185-0C00-00000000CC01}8442660C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.999{3BF36828-97C9-6185-7D00-00000000CC01}49683244C:\Windows\system32\csrss.exe{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000109967188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.999{3BF36828-26D0-6193-0199-01000000CC01}67604696C:\Windows\system32\cmd.exe{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000109967187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:41.003{3BF36828-26D1-6193-0299-01000000CC01}1604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe [activator]::CreateInstance([type]::GetTypeFromProgID(‘MMC20.application’,’10.0.1.15’)).Document.ActiveView.ExecuteShellCommand(‘c:\windows\system32\calc.exe’, $null, $null, ‘7’)C:\Users\Administrator\ATTACKRANGE\Administrator{3BF36828-97CB-6185-F909-080000000000}0x809f92HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{3BF36828-26D0-6193-0199-01000000CC01}6760C:\Windows\System32\cmd.execmd /c powershell.exe [activator]::CreateInstance([type]::GetTypeFromProgID(‘MMC20.application’,’10.0.1.15’)).Document.ActiveView.ExecuteShellCommand(‘c:\windows\system32\calc.exe’, $null, $null, ‘7’) 734700x8000000000000000109967186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.999{3BF36828-26D0-6193-0199-01000000CC01}6760C:\Windows\System32\cmd.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000109967185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.984{3BF36828-26CE-6193-0099-01000000CC01}13086920C:\Windows\system32\conhost.exe{3BF36828-26D0-6193-0199-01000000CC01}6760C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109967184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:40.984{3BF36828-26D0-6193-0199-01000000CC01}6760C:\Windows\System32\cmd.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 23542300x800000000000000056917300Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:42.746{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=ACD35073CEF8F498F8573719067851FE,SHA256=E4F8E2EF24F4CA94BB20AC0F5FA77616F6DE8710313C0E31E5DFF63BFA6AA39B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917299Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:42.746{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=96574BA5E8AF067F5D147FEAFC98C2B3,SHA256=4F0457708275B62A8C6FF0C91DDB09AFC8913FAFC39BB88138A6FB0E7E31FD0D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056917298Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:32.960{B81B27B7-2343-6193-0C00-00000000CB01}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50014-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49672- 354300x800000000000000056917297Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:32.959{B81B27B7-2344-6193-0E00-00000000CB01}836C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal58722-false10.0.1.15win-host-987.attackrange.local135epmap 354300x800000000000000056917296Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:32.956{B81B27B7-2344-6193-0E00-00000000CB01}836C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal58721-false10.0.1.15win-host-987.attackrange.local135epmap 23542300x800000000000000056917295Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:42.652{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66F11F2AB0BD451437BA14712BBC1179,SHA256=BB5213A984F52689F627D8ED2E82810BB64F94C08BA1545606B100C48FDAE6B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109967303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:55.371{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal50014-false10.0.1.14win-dc-128.attackrange.local49672- 354300x8000000000000000109967302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:55.369{3BF36828-9799-6185-0D00-00000000CC01}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-128.attackrange.local58722-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal135epmap 354300x8000000000000000109967301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:55.366{3BF36828-9799-6185-0D00-00000000CC01}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-128.attackrange.local58721-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal135epmap 23542300x8000000000000000109967300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:42.468{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=796FABB04E870D590B901089E2078962,SHA256=3D2032272FDE72CFA2002807E5A18D7012C7D61AD671CF8502239E8B5F3D7A3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917294Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:42.152{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B23753E89344F3553CDA0967606D3988,SHA256=561B59990B5B2853503D67D8ABE1FCED132483A28F785DFD9BB33F67BD11749B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917293Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:42.152{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7707DD27543B2BA28486D10675F6028,SHA256=0046022328516B3FBC9E6A852029A044933F31CA80E6D5E6B6BA2E264229BCAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109967299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:42.046{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=71C5D149EA576453B86E05BFC6CCDDB1,SHA256=F254AF165E554EBADA2AD4812B166A007BB800553D49064CD326C97FCD660CF1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056917303Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:33.531{B81B27B7-233F-6193-0100-00000000CB01}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50016-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal445microsoft-ds 23542300x800000000000000056917302Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:43.653{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3708A4D647B7898CF3E2AF2C2300ECCA,SHA256=D1F9831A6BE68D41D1961E896D79F317A962A5E07D04B9FC379CC2783BFC2656,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109967306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:55.941{3BF36828-9792-6185-0100-00000000CC01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal50016-false10.0.1.14win-dc-128.attackrange.local445microsoft-ds 23542300x8000000000000000109967305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:43.624{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD2F177D64AB51EF668EBE74BD163015,SHA256=C47CBA8CD88A31F2E7AAB5B95709B64C2C53399889450D635CB59BFE201174F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 22542200x800000000000000056917301Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:33.535{B81B27B7-2344-6193-1400-00000000CB01}716win-dc-128.attackrange.local0::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 23542300x8000000000000000109967304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:43.234{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEB88C4D8F5ECB04ADA737189FB18AC3,SHA256=1A15CB49352A22B3343715E2BF2594CF9BCE08D772933460E485E5513D55C208,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109967324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:56.407{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58725-false10.0.1.12-8000- 23542300x8000000000000000109967323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:44.640{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ABFE915A8B6C3ED288F7CC23BEFEE9D,SHA256=B338B8FDDCF44ADB42BBA4113E31732445E589D8FC9441C882D6363EC925E762,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917306Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:44.666{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1425DEDE9C3ED753F1706B54C3E727FF,SHA256=7D56FE9E8C56738D51B0C498F0B4F7516769439CA9687EC0BC6A6645DEA28444,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056917305Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:33.470{00000000-0000-0000-0000-000000000000}4108<unknown process>-tcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal58724-false10.0.1.15win-host-987.attackrange.local50015- 354300x800000000000000056917304Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:33.376{00000000-0000-0000-0000-000000000000}4108<unknown process>-tcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal58723-false10.0.1.15win-host-987.attackrange.local50015- 23542300x8000000000000000109967322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:44.577{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEE1046EAD07E989B2113A24263F7333,SHA256=2D081C297BBCBB8AD63AA74845E70EDD9E376767B72A9FCAE8A9A09DE99A5FB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109967321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:55.880{00000000-0000-0000-0000-000000000000}1604<unknown process>-tcptruefalse10.0.1.14win-dc-128.attackrange.local58724-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal50015- 354300x8000000000000000109967320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:55.786{00000000-0000-0000-0000-000000000000}1604<unknown process>-tcptruefalse10.0.1.14win-dc-128.attackrange.local58723-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal50015- 10341000x8000000000000000109967319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:44.296{3BF36828-9799-6185-0C00-00000000CC01}8443992C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000109967318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:44.296{3BF36828-9799-6185-0C00-00000000CC01}8443992C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000109967317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:44.296{3BF36828-9799-6185-0C00-00000000CC01}8443992C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000109967316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:44.296{3BF36828-9799-6185-0C00-00000000CC01}8443992C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000109967315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:44.296{3BF36828-9799-6185-0C00-00000000CC01}8443992C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000109967314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:44.296{3BF36828-97CC-6185-8500-00000000CC01}36605476C:\Windows\system32\sihost.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:44.234{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000109967312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:44.234{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000109967311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:44.234{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000109967310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:44.140{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000109967309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:44.140{3BF36828-9799-6185-0C00-00000000CC01}8446424C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000109967308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:44.140{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9887-01000000CC01}4180C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000109967307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:44.140{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-94A2-6192-9787-01000000CC01}1720C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x8000000000000000109967325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:45.655{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D48B42F0A5A7B244B13DCD673B74E26E,SHA256=0F12ECAFDD75B952AA3C29F568374442E9A1B61FACC4D821EF552E0CD1C3B2DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056917311Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:35.644{B81B27B7-2347-6193-3600-00000000CB01}3320C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50020-false169.254.169.254instance-data.us-west-2.compute.internal80http 354300x800000000000000056917310Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:35.565{B81B27B7-2347-6193-3600-00000000CB01}3320C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50019-false169.254.169.254instance-data.us-west-2.compute.internal80http 354300x800000000000000056917309Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:35.509{B81B27B7-2347-6193-3600-00000000CB01}3320C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50018-false169.254.169.254instance-data.us-west-2.compute.internal80http 354300x800000000000000056917308Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:35.508{B81B27B7-2347-6193-3600-00000000CB01}3320C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50017-false169.254.169.254instance-data.us-west-2.compute.internal80http 23542300x800000000000000056917307Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:45.668{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BAD17B7B33445C6608ABD857AA88156,SHA256=CC16D3F79E60446084F04EDFC981BF7C6B6B841AB60DC92C0D170C3D2992E2E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056917314Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:35.958{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50021-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000056917313Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:46.683{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2A0996AAC24B30E010BBC2826A92F47,SHA256=877D50099DCAFCC7762C726583F311E55A00BC0FCBD4FFE595D7BC1048D15023,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109967383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.937{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000109967382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.937{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000109967381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.921{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000109967380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.765{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000109967379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.765{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000109967378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.765{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000109967377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.765{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000109967376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.765{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000109967375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.765{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000109967374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.765{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000109967373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.765{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000109967372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.749{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000109967371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.749{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000109967370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.749{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109967369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.749{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000109967368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.749{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109967367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.749{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109967366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.749{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000109967365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.749{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000109967364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.749{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000109967363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.749{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000109967362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.749{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109967361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.749{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000109967360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.749{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000109967359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.749{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000109967358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.749{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109967357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.749{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000109967356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.749{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109967355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.749{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109967354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.749{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000109967353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.749{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000109967352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.749{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000109967351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.749{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000109967350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.749{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000109967349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.749{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000109967348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.749{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000109967347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.749{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000109967346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.749{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000109967345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.749{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000109967344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.749{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000109967343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.749{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000109967342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.749{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109967341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.749{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000109967340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.749{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109967339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.749{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000109967338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.749{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000109967337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.749{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109967336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.749{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x8000000000000000109967335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.749{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.749{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.749{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.749{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.749{3BF36828-9797-6185-0500-00000000CC01}420436C:\Windows\system32\csrss.exe{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000109967330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.749{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000109967329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.734{3BF36828-26D6-6193-0399-01000000CC01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000109967328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.655{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A08EAC45229A89FF99A7D36D54FB3729,SHA256=7329D750B1EE15A26261FB4D9116259142BC9EE8651C2886FB229FB93BE956C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000109967327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:46.515{3BF36828-9799-6185-0D00-00000000CC01}9044232C:\Windows\system32\svchost.exe{3BF36828-97CB-6185-8300-00000000CC01}4888C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000109967326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-16 03:34:46.265{3BF36828-9799-6185-1000-00000000CC01}444C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7da9a-0xe6cbcbd5) 10341000x800000000000000056917312Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:46.527{B81B27B7-2344-6193-0E00-00000000CB01}8363432C:\Windows\system32\svchost.exe{B81B27B7-2354-6193-7800-00000000CB01}4356C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056917316Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:47.699{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB60CA2D4136F8318849DA738320BEBD,SHA256=506C339A3C43D011E8576CA88C7C9D753F6AC1041200161B1026E74A1BD542FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109967490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.968{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000109967489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.968{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000109967488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.968{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000109967487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.968{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000109967486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.968{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000109967485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.968{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000109967484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.968{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000109967483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.968{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000109967482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.952{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000109967481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.952{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109967480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.952{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000109967479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.952{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109967478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.952{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109967477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.952{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000109967476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.952{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000109967475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.952{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000109967474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.952{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109967473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.952{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109967472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.952{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000109967471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.952{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000109967470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.952{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109967469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.952{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000109967468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.952{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000109967467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.952{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000109967466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.952{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000109967465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.952{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000109967464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.952{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000109967463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.952{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000109967462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.952{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109967461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.952{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000109967460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.952{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109967459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.952{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000109967458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.952{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000109967457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.952{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000109967456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.952{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000109967455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.952{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000109967454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.952{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109967453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.952{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000109967452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.952{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000109967451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.952{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109967450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.952{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x8000000000000000109967449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.952{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.952{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.952{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.952{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.952{3BF36828-9797-6185-0500-00000000CC01}420436C:\Windows\system32\csrss.exe{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000109967444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.952{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000109967443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.940{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000109967442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.937{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=678619E791F56676A8DE32D8DD4B092B,SHA256=09CC06FEB7EE7440F6CAE7055F92976E16DD49455D9FAEAF63C8D742AF23BB78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917315Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:47.543{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=ACD35073CEF8F498F8573719067851FE,SHA256=E4F8E2EF24F4CA94BB20AC0F5FA77616F6DE8710313C0E31E5DFF63BFA6AA39B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109967441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.421{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000109967440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.421{3BF36828-26D7-6193-0499-01000000CC01}49805612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109967439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.421{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000109967438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.421{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000109967437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.312{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED2710DEA8297F8CAF207CB300D35D6A,SHA256=4F3C87CE66B7E4BC96D13CB6195BCDC3C7BFDC41A1590FA08822035A78F528E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109967436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.296{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000109967435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.296{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000109967434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.296{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000109967433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.296{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000109967432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.296{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000109967431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.296{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000109967430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.296{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000109967429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.296{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000109967428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.280{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000109967427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.280{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109967426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.280{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000109967425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.280{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109967424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.280{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109967423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.280{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000109967422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.280{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000109967421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.280{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109967420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.280{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000109967419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.280{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109967418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.280{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000109967417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.280{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109967416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.280{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000109967415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.280{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000109967414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.280{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000109967413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.280{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000109967412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.280{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000109967411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.280{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000109967410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.280{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000109967409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.280{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000109967408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.280{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109967407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.280{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109967406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.280{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000109967405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.280{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000109967404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.280{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000109967403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.280{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000109967402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.280{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000109967401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.280{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109967400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.280{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 10341000x8000000000000000109967399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.280{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.280{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109967397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.280{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000109967396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.280{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.280{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109967394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.280{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109967393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.280{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000109967392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.280{3BF36828-9797-6185-0500-00000000CC01}420412C:\Windows\system32\csrss.exe{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000109967391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.280{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000109967390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.266{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000109967389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.265{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.265{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.265{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.265{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.265{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-26D7-6193-0499-01000000CC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000109967384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:47.202{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDBEF88BAFAE19FF94B7B4769AA6C534,SHA256=444C6950AADF701A6B197138EBB51CA9A821D485389F643E5390E8A149D2BA8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917318Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:48.705{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F18037B5D4BD366F98698B1859F18219,SHA256=A64ADC3EAAA5151EBCF4D266D71911A8A7A9C15C763140C3F6619B2CA52A41C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000056917317Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-16 03:34:48.611{B81B27B7-2344-6193-1300-00000000CB01}720C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7da9a-0xe831da54) 23542300x8000000000000000109967548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.921{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA2E1A27F69E902101202D53E77D5F6,SHA256=BE89D8B099D32BB708F64227BF9577CB055C2324E149E4AB15D2393D467105E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109967547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.796{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000109967546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.796{3BF36828-26D8-6193-0699-01000000CC01}53047156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109967545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.781{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000109967544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.781{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000109967543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:35:00.422{3BF36828-9799-6185-1000-00000000CC01}444C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-128.attackrange.local123ntpfalse168.61.215.74-123ntp 734700x8000000000000000109967542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.656{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000109967541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.656{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000109967540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.656{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000109967539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.656{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000109967538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.640{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000109967537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.640{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000109967536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.640{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000109967535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.640{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000109967534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.640{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000109967533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.640{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109967532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.640{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000109967531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.640{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109967530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.640{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109967529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.640{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000109967528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.640{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000109967527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.640{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000109967526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.640{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109967525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.640{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109967524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.640{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109967523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.640{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000109967522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.640{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000109967521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.640{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000109967520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.640{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000109967519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.640{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000109967518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.640{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000109967517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.640{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000109967516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.640{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000109967515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.640{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000109967514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.640{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109967513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.640{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000109967512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.640{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109967511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.640{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000109967510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.640{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000109967509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.640{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000109967508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.640{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000109967507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.640{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000109967506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.640{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109967505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.640{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000109967504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.640{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000109967503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.640{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109967502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.640{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x8000000000000000109967501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.640{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.640{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.640{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.640{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.640{3BF36828-9797-6185-0500-00000000CC01}420412C:\Windows\system32\csrss.exe{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000109967496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.640{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000109967495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.625{3BF36828-26D8-6193-0699-01000000CC01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000109967494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.265{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2AE4D8112B0ADECD8D460C2F997B023,SHA256=F2019C79C8005BFE320E73AF96BEBD5F8D8882AA2C4888D7B2F5AC771BAF07CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109967493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.124{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000109967492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.124{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000109967491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:48.124{3BF36828-26D7-6193-0599-01000000CC01}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x800000000000000056917324Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:40.401{B81B27B7-2344-6193-1300-00000000CB01}720C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-987.attackrange.local123ntpfalse168.61.215.74-123ntp 354300x800000000000000056917323Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:40.401{B81B27B7-2344-6193-1300-00000000CB01}720C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-987.attackrange.local123ntpfalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal123ntp 23542300x800000000000000056917322Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:49.830{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0D6DD7AD248B716C9C631CC2946914C,SHA256=734D84E859C2A6C5720E94E9D6B0878B1FAC47E2EEE6724C9D82D7AE8AA824D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917321Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:49.830{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B23753E89344F3553CDA0967606D3988,SHA256=561B59990B5B2853503D67D8ABE1FCED132483A28F785DFD9BB33F67BD11749B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917320Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:49.721{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E72DAA37D328A0CE8EDF0CAC9E97A82,SHA256=3996612B1AF0E107853549B4580CB30FBCF6E491DAE1F36B0D62E5993665F9FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109967602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.578{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD45E80E2A462C39246C132E284EDD60,SHA256=EA9DDD4A5BA6561F9E3E1B78985ABEF658078E734E446E00B41ABBC6310A9B6D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109967601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:35:02.438{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58726-false10.0.1.12-8000- 10341000x8000000000000000109967600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.468{3BF36828-26D9-6193-0799-01000000CC01}42646996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109967599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.468{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000109967598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.468{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000109967597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.343{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000109967596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.343{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000109967595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.343{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000109967594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.343{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000109967593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.343{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000109967592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.343{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000109967591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.343{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000109967590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.343{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000109967589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.343{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000109967588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.328{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000109967587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.328{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000109967586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.328{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000109967585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.328{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000109967584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.328{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000109967583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.328{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000109967582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.328{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000109967581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.328{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000109967580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.328{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000109967579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.328{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000109967578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.328{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000109967577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.328{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000109967576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.328{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000109967575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.328{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000109967574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.328{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000109967573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.328{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109967572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.328{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000109967571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.328{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109967570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.328{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109967569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.328{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000109967568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.328{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109967567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.328{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109967566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.328{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000109967565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.328{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109967564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.328{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109967563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.328{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109967562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.328{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000109967561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.328{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109967560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.328{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000109967559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.328{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000109967558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.328{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109967557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.328{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x8000000000000000109967556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.328{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.328{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.328{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.328{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.328{3BF36828-9797-6185-0500-00000000CC01}420412C:\Windows\system32\csrss.exe{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000109967551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.328{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000109967550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.313{3BF36828-26D9-6193-0799-01000000CC01}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000109967549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:49.015{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A25091379C16F876FA7A70BE0B356AA,SHA256=1C444705A84EACBAFE23708EC7D4F9E3E5C750D8175B67D2F24DA9D78782880D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056917319Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:49.377{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2344-6193-1600-00000000CB01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056917325Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:50.752{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C100CDE133112960C7B42048E4969A7,SHA256=CE9C5E079AB9491D8D9C28C033DE3CD0FF19BBF5E0C59948D187ACA19B4ECBAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109967708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.843{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000109967707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.843{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000109967706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.828{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000109967705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.718{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000109967704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.718{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000109967703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.718{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000109967702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000109967701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000109967700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000109967699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000109967698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000109967697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000109967696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000109967695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109967694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000109967693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000109967692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000109967691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x8000000000000000109967690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000109967689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109967688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000109967687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000109967686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000109967685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109967684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000109967683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109967682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000109967681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000109967680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000109967679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000109967678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000109967677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000109967676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109967675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000109967674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000109967673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109967672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109967671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109967670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000109967669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109967668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000109967667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000109967666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109967665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x8000000000000000109967664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-9797-6185-0500-00000000CC01}420436C:\Windows\system32\csrss.exe{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000109967659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.703{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000109967658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.688{3BF36828-26DA-6193-0999-01000000CC01}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000109967657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:35:03.376{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local58727-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000109967656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:35:03.376{3BF36828-97A9-6185-2800-00000000CC01}2876C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local58727-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x8000000000000000109967655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.328{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D23D4BF6342BEF99EE72DA072F77FA01,SHA256=4117C74060073BD92F4503EA2C09B4D271DC6AAE4959DCBFF0DED193D82ED185,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109967654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.296{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B902698588BEBB1ABD14C0407BB633FA,SHA256=3C678A21652F5EFEB6043F9AAC0B596DE77ABBB12CFB8EECED170D5167A49079,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109967653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.156{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000109967652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.156{3BF36828-26DA-6193-0899-01000000CC01}56766228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109967651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.156{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000109967650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.156{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000109967649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.031{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000109967648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.031{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000109967647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.031{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000109967646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.031{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000109967645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.015{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000109967644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.015{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000109967643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.015{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000109967642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.015{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000109967641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.015{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000109967640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.015{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109967639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.015{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000109967638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.015{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109967637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.015{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000109967636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.015{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109967635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.015{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000109967634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.015{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109967633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.015{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000109967632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.015{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109967631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.015{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109967630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.015{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000109967629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.015{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000109967628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.015{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000109967627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.015{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000109967626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.015{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000109967625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.015{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000109967624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.015{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000109967623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.015{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000109967622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.015{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109967621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.015{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109967620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.015{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000109967619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.015{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000109967618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.015{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000109967617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.015{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000109967616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.015{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000109967615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.015{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000109967614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.015{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109967613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.015{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000109967612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.015{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000109967611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.015{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109967610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.015{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000109967609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.015{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.015{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.015{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.015{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.015{3BF36828-9797-6185-0500-00000000CC01}420536C:\Windows\system32\csrss.exe{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000109967604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.015{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000109967603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:50.001{3BF36828-26DA-6193-0899-01000000CC01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056917326Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:51.783{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86BE162856FC39ED362588354295790D,SHA256=1296A7AF7165398A6AE7D62C4C8E83A3AB402A3E1B3746D54328C77EC1CFDE95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109967713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:51.468{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A16F4068FD8C321FC4AF62C35C21B88F,SHA256=7A4FE377CFABCF70EE1002FBEE27DB07383E476B83226EEA918126D226DA79B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109967712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:51.468{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B1E841F2B41CFC888C398F5AB95BE63,SHA256=539798FCE2081E8EB9EB12E7687F0047F4C553BB3891D8EC3BFD6E9C20E16B36,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000109967711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:51.203{3BF36828-9799-6185-0D00-00000000CC01}9044232C:\Windows\system32\svchost.exe{3BF36828-9799-6185-1600-00000000CC01}1272C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:51.203{3BF36828-9799-6185-0D00-00000000CC01}9044232C:\Windows\system32\svchost.exe{3BF36828-2572-6193-D398-01000000CC01}6456C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:51.203{3BF36828-9799-6185-0D00-00000000CC01}9044232C:\Windows\system32\svchost.exe{3BF36828-2572-6193-D398-01000000CC01}6456C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056917345Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:52.799{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC1722312BCC8752D4E874D0E751659,SHA256=C4FA9657AF3FCC06BD50EC9BDD39335FB1AC94EE5CE1B8E013ADA3E809C5AA02,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109967835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.671{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202,IMPHASH=0E9C1FA273A5EFD763FAC8E145B20C80trueMicrosoft WindowsValid 734700x8000000000000000109967834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.671{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\NtlmShared.dll10.0.14393.3269 (rs1_release.190929-1234)NTLM Shared FunctionalityMicrosoft® Windows® Operating SystemMicrosoft CorporationNtlmShared.dllMD5=99F4D90B3ED53855C06F856006E770D1,SHA256=A95E5823B68182C4E32CB783AD23BC4FF60690001C70E6B5E920C12740C4C37C,IMPHASH=36FD662FB3EF657597E485F3FC734A67trueMicrosoft WindowsValid 734700x8000000000000000109967833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.671{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\msv1_0.dll10.0.14393.3866 (rs1_release.200805-1327)Microsoft Authentication Package v1.0Microsoft® Windows® Operating SystemMicrosoft CorporationMSV1_0.DLLMD5=2A725546D9B1F9DB4974A2EA4225D0A8,SHA256=46AD1AC8C7DB7D21E8F41EFC734B855CEE566CB58F8FB825775490DC5DE89C94,IMPHASH=A243271C363636A670D5D150D4D338C9trueMicrosoft WindowsValid 23542300x8000000000000000109967832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.640{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B4CCE510971AC1E1D56E4FCFE86B9F1,SHA256=A961B20248C51A50290832EBD3043FC91DDFD9A3DB837A5D4D7C6E4E90FA3AEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109967831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.609{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4F2C75CAF51C89691ABFB5DE419EFD0,SHA256=40D29C5645867978326D40B74E807D73E5610FBA88CCAA23A5C59C4215C7F0AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000109967830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.328{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.328{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.328{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.328{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.328{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.328{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-26DC-6193-0A99-01000000CC01}5176C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.328{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-26DC-6193-0A99-01000000CC01}5176C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.328{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-26DC-6193-0A99-01000000CC01}5176C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.328{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-26DC-6193-0A99-01000000CC01}5176C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.328{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-26DC-6193-0A99-01000000CC01}5176C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.218{3BF36828-9799-6185-1600-00000000CC01}12721960C:\Windows\system32\svchost.exe{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.218{3BF36828-9799-6185-1600-00000000CC01}12721324C:\Windows\system32\svchost.exe{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109967818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.218{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000109967817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.203{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.CSharp\9311b6c382518fe61794f144e07fef90\Microsoft.CSharp.ni.dll4.8.3761.0Microsoft.CSharp.dllMicrosoft® .NET FrameworkMicrosoft CorporationMicrosoft.CSharp.dllMD5=128DC0E19146F3415EED062CD2449C39,SHA256=56E0DB54E0C651DF6FEDF2C0E8B6F7CC3EA0EC845945628FA9A89F59F80CE85A,IMPHASH=00000000000000000000000000000000false-Unavailable 10341000x800000000000000056917344Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:52.705{B81B27B7-2354-6193-7C00-00000000CB01}45364636C:\Windows\system32\taskhostw.exe{B81B27B7-2355-6193-8000-00000000CB01}4852C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000056917343Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:52.674{B81B27B7-2355-6193-8000-00000000CB01}4852C:\Windows\explorer.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 17141700x800000000000000056917342Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-CreatePipe2021-11-16 03:34:52.658{B81B27B7-2355-6193-8000-00000000CB01}4852\Winsock2\CatalogChangeListener-12f4-0C:\Windows\Explorer.EXE 10341000x800000000000000056917341Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:52.377{B81B27B7-2354-6193-7C00-00000000CB01}45364636C:\Windows\system32\taskhostw.exe{B81B27B7-2355-6193-8000-00000000CB01}4852C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917340Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:52.283{B81B27B7-2344-6193-1600-00000000CB01}11043036C:\Windows\system32\svchost.exe{B81B27B7-26DC-6193-3601-00000000CB01}6140C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917339Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:52.283{B81B27B7-2344-6193-1600-00000000CB01}11041156C:\Windows\system32\svchost.exe{B81B27B7-26DC-6193-3601-00000000CB01}6140C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917338Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:52.252{B81B27B7-2352-6193-6F00-00000000CB01}39763304C:\Windows\system32\csrss.exe{B81B27B7-26DC-6193-3601-00000000CB01}6140C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056917337Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:52.252{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917336Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:52.252{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917335Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:52.252{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917334Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:52.252{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917333Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:52.252{B81B27B7-2343-6193-0500-00000000CB01}416432C:\Windows\system32\csrss.exe{B81B27B7-26DC-6193-3601-00000000CB01}6140C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056917332Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:52.252{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-26DC-6193-3601-00000000CB01}6140C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056917331Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:52.264{B81B27B7-26DC-6193-3601-00000000CB01}6140C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c08afd90-f2a1-11d1-8455-00a0c91f3880} -EmbeddingC:\Windows\system32\ATTACKRANGE\REED_SCHMIDT{B81B27B7-2353-6193-A0BF-070000000000}0x7bfa02MediumMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{B81B27B7-2344-6193-0D00-00000000CB01}760C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x800000000000000056917330Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:52.252{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2344-6193-0E00-00000000CB01}836C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917329Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:52.252{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2344-6193-0E00-00000000CB01}836C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917328Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:52.252{B81B27B7-2344-6193-0D00-00000000CB01}760792C:\Windows\system32\svchost.exe{B81B27B7-2344-6193-0E00-00000000CB01}836C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000056917327Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:41.887{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50022-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000109967816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.187{3BF36828-9797-6185-0B00-00000000CC01}6366520C:\Windows\system32\lsass.exe{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.187{3BF36828-9797-6185-0B00-00000000CC01}6366520C:\Windows\system32\lsass.exe{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109967814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.187{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000109967813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.187{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000109967812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.187{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\7e9b84127ece5956cbef3f95dfa8a55e\System.Configuration.ni.dll4.8.4190.0 built by: NET48REL1LAST_BSystem.Configuration.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.dllMD5=12950C8D0928F444819D240FAA6FC20A,SHA256=4E632944A41A907E9446ED145D5D74CD082ECC55A643CD917324B1463615981E,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x8000000000000000109967811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.171{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft Corporationsystem.transactions.dllMD5=D17E11DDF716089AF736DBA7C4F24C75,SHA256=DF301F2F2A735A1A75EAE79E64CCFDAD335E319B98316E9E875F726FA2CB51D5,IMPHASH=1C67DA46DE146D5C03F7C75A4E4CCCA4trueMicrosoft CorporationValid 734700x8000000000000000109967810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.171{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Transactions\2f95aa5c70f2368529871c6f84d442b0\System.Transactions.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft Corporationsystem.transactions.dllMD5=0EE7D88EB9897F293EBF4BC507806DC3,SHA256=495B40C5929C8617CD3C88D4D600E53D39F8FF9AF5CB0C310C5D5020722AC76E,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x8000000000000000109967809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.171{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f792626#\575405053a07a343d01cf81e4414a0d5\Microsoft.PowerShell.Security.ni.dll10.0.14393.2848Microsoft Windows PowerShell Management CommandsMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMicrosoft.PowerShell.Security.dllMD5=E38B049565C61043DEAE2F479E5A1826,SHA256=A0C597A54EEE6FC1075158F58DCBEA5921DFA24F654C2A7E656928AAE8F27EC9,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x8000000000000000109967808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.171{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll4.8.4350.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationclrjit.dllMD5=C018D3F757D7E3057B71D38FCB390D1A,SHA256=BF63BB7CA92F9EE37F7447FDDC1097AF68EFBEC460701C505AC17165CE095317,IMPHASH=9F2B44B648DE13A18C1ABC07250B85C2trueMicrosoft CorporationValid 17141700x8000000000000000109967807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-CreatePipe2021-11-16 03:34:52.156{3BF36828-26DC-6193-0B99-01000000CC01}6076\PSHost.132815072920930496.6076.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000109967806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.156{3BF36828-26DC-6193-0B99-01000000CC01}6076ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_dgamgh3j.hhq.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109967805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.140{3BF36828-26DC-6193-0B99-01000000CC01}6076ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_10wv0tmx.v1d.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000109967804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.140{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll10.0.14393.0 (rs1_release.160715-1616)Crypto SIP provider for signing and verifying PowerShell script files (.ps1/.ps1xml)Microsoft® Windows® Operating SystemMicrosoft Corporationpwrshsip.dllMD5=5366DEE11C59571EC48B56020E8949DE,SHA256=EE5CDBEDA2067413ACB7B5E7B4AF53B40336148CA104D1671212B43737EB348C,IMPHASH=C93A45A26AACEA8208AA325C281035F0trueMicrosoft WindowsValid 734700x8000000000000000109967803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.140{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000109967802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.140{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll4.8.4290.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft Corporationsystem.data.dllMD5=FD7801997C3D60A432EAC5A08DF42C37,SHA256=E27CFC72999B8AB72BB0EAF1B75F13826C644CAF2F97980CC4A3AD3FE2D98BBE,IMPHASH=9FE0ED33D42CDA291AE72F170DE4D48FtrueMicrosoft CorporationValid 734700x8000000000000000109967801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.140{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\iertutil.dll11.00.14393.4283 (rs1_release.210303-1802)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=5541A4A7FB64063F8AFB192ABD4DAE70,SHA256=AABF2E6C392F29B77F076BF705976B68B3100138BC63060335BD154B8417754D,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x8000000000000000109967800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.140{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 734700x8000000000000000109967799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.140{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\urlmon.dll11.00.14393.4402 (rs1_release.210426-1725)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=3562767F9C1D8359A735D4F64A9733F5,SHA256=7E60D82C417779D316000AD376BE9BA2CD14728616F35289E34E47CC6839620B,IMPHASH=198DE5B70ABFFE7B73AD088D655B26D1trueMicrosoft WindowsValid 734700x8000000000000000109967798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.140{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\OpcServices.dll10.0.14393.2848 (rs1_release.190305-1856)Native Code OPC Services LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationOpcServices.dllMD5=991F8CCB43104DE3BD6E24A4D2BF870D,SHA256=8187C096A269D20742DEC9B651536F1C7A354D114B176179B1F4E090BB28E1F2,IMPHASH=F5D44AC1D5D2912F6B871FE7D5604CEDtrueMicrosoft WindowsValid 734700x8000000000000000109967797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.140{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\AppxSip.dll10.0.14393.4169 (rs1_release.210107-1130)Appx Subject Interface PackageMicrosoft® Windows® Operating SystemMicrosoft CorporationAppxSip.dllMD5=33AEB645167296EFE22E1BB64B63CBFC,SHA256=6E2B948F3CD7EEC6D9A9A864476F074FB5876E397916FF81A39B23976489AB52,IMPHASH=B062C097D0B3B0DCCA3ECC898B231E28trueMicrosoft WindowsValid 734700x8000000000000000109967796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.140{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\gpapi.dll10.0.14393.3986 (rs1_release.201002-1707)Group Policy Client APIMicrosoft® Windows® Operating SystemMicrosoft Corporationgpapi.dllMD5=601EDCF334B3DA561BE85560BFAB4831,SHA256=69422D4F7B2E9673178761052D25718F2F1F1D7D5B0962798ECAC66C123FB207,IMPHASH=54A7A105E11720BE50C587CF0CFA8828trueMicrosoft WindowsValid 734700x8000000000000000109967795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.140{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data\f27dd71df7a6fe3f43a9e7a7c4e1870c\System.Data.ni.dll4.8.4290.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft Corporationsystem.data.dllMD5=61AABBC2DA61D27A6D495660705B81C7,SHA256=A745A2336F2B74CAC1CDFD056BDDECB0905EDBB40E6B8A3FAEC603D8909D3932,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x8000000000000000109967794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.140{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=BA425FEBA35E20778ADB8FAF7268D8A0,SHA256=3A2F8057B4312BE9389CB86C8C3FA8BA3A590E3CE811AB163D77159DB095AA41,IMPHASH=EE821B7DB352A29DF6636AEB059E4519trueMicrosoft WindowsValid 734700x8000000000000000109967793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.140{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BF,IMPHASH=B74E4EE6BBCE405BE73914241C9AF2C8trueMicrosoft WindowsValid 734700x8000000000000000109967792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.140{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\msisip.dll5.0.14393.4350 (rs1_release.210407-2154)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=D847084F61752DB23D027FFC3CBEF8F7,SHA256=2061D01C7612A6010BDD83E0BB339A1040C8077595AD7A51C9E3ADC4B501B4BF,IMPHASH=9990E8AE89385588C988664086E258E7trueMicrosoft WindowsValid 734700x8000000000000000109967791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.140{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\7c15c0d49f69b195572210a91515a305\System.Numerics.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Numerics.dllMD5=FB48DD495E0C1B432B779F052C904198,SHA256=140191FC7F155C273137E4264FB483A447E8729D6DB4BAA4CFF26A2FC14032A6,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x8000000000000000109967790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.140{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Dired13b18a9#\6407bb4cdc58ba68ef2c36cac992bb13\System.DirectoryServices.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.DirectoryServices.dllMD5=641F05E9C8B91F3749B5B10EAD8FE355,SHA256=0A5B63DDFC9354EB938032ECE430C8E354B5514295E1AEBA0BB72C4101AB9F63,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x8000000000000000109967789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.140{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\7eae5eedf8e36fc45dfa64fb5ef57800\System.Management.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Management.dllMD5=C620EB6B299FF57B152A3EBE1A1722CE,SHA256=5384A6D764DC88C60E88D56B6F22E63590833A36FBC53019A9C77B7DD481A97B,IMPHASH=00000000000000000000000000000000false-Unavailable 11241100x8000000000000000109967788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.140{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_10wv0tmx.v1d.ps12021-11-16 03:34:52.140 734700x8000000000000000109967787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.140{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\8669a211d52b8e32a013f701cf258498\System.Xml.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=95552B7B0E2A11F5D37F688EA58B8A48,SHA256=3201135130FC524715E99FD0790F10E35D807DD2EFCD23E01A075367A890838B,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x8000000000000000109967786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.140{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4,IMPHASH=334E5331674424695F9872596E2677C7trueMicrosoft WindowsValid 734700x8000000000000000109967785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.140{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405#\db8de3644c2a4247c359e249605c0c6e\Microsoft.Management.Infrastructure.ni.dll10.0.14393.4046csMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMicrosoft.Management.Infrastructure.dllMD5=FECA45C4030F9BB02E5DC9B767B467D2,SHA256=087C70E71D22C20F56CB488318637477CFBC40428BE0289D5192FC920EFA0B88,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x8000000000000000109967784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.140{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FA,IMPHASH=5BAA515B293A764CA06512D078C4E624trueMicrosoft WindowsValid 734700x8000000000000000109967783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.125{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000109967782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.125{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\wintrust.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=D8CD8451D1E194230F18866AD6EFE5E7,SHA256=9977AA1287962035C24DF806DDA67F09FFE9BDF696DBA507D749C624AE1C178D,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x8000000000000000109967781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.125{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131,IMPHASH=6FEE5278940E0EA644D3641165D77874trueMicrosoft WindowsValid 734700x8000000000000000109967780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.125{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000109967779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.125{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000109967778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.125{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000109967777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.125{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000109967776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.125{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000109967775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.125{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 10341000x8000000000000000109967774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.125{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109967773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.125{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x8000000000000000109967772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.125{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll10.0.14393.4402System.Management.AutomationMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationSystem.Management.Automation.dllMD5=95984DDC6D6E07F7857F67665CF641D2,SHA256=D82F05DD031434B9B4FBAB776CA2B5314B6227B0238D0CEAA3EA1CAA1E9A38B4,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x8000000000000000109967771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.109{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000109967770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.109{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000109967769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.109{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000109967768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.109{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000109967767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.109{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\b0d874d23024f5523b48f1bf048c360e\Microsoft.PowerShell.ConsoleHost.ni.dll10.0.14393.3866Microsoft.PowerShell.ConsoleHostMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMicrosoft.PowerShell.ConsoleHost.dllMD5=43C14AC1DF60AAC345581CE7F032E759,SHA256=1A47981B1380E4F4149C0984978999A784B6830544FA11715783F0D93EB0F6DE,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x8000000000000000109967766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.109{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\3d5542bc1617cc46fbb5455ad9b06b67\System.Core.ni.dll4.8.4350.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Core.dllMD5=76064947B3DDD46B1AE18CDE5E5D4DC0,SHA256=444C2B365FAFC16BBDC26E8C5D2C8B4352B3F16B63E0092F6989894B536359C2,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x8000000000000000109967765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.109{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll4.8.4311.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=6CBC81BAC24DB72678EDD32BC2F6777E,SHA256=1EB3B3F40CC5DA4214FED6361009A818F25575CE2D22FDFD1D95D67085C37F4C,IMPHASH=00000000000000000000000000000000false-Unavailable 734700x8000000000000000109967764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.109{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll4.8.4350.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=83AC6604E968E03B3CA0F949A3A9D0EC,SHA256=F7B9A431E58DE2663CE1E2F9E06BC88D09FF6262F2D49CB8398604D40B073378,IMPHASH=00000000000000000000000000000000trueMicrosoft CorporationValid 734700x8000000000000000109967763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.109{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=1AF6CD8B7CE4A852F67AA98C71AA1D26,SHA256=EF0DE008500A8C9C7908383AF11AE55845EBBE28C96C013EA720950BA89D3D28,IMPHASH=A90D5BC867A86FBF8F4557CE6F216093trueMicrosoft WindowsValid 734700x8000000000000000109967762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.093{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ucrtbase_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationucrtbase_clr0400.dllMD5=F8F171BE1820544E15B555847005355C,SHA256=CDDF9A2BF085AE59BA464B3BA6394AACFC342DA5F17D77FD5306054C8AABF153,IMPHASH=0524DC27AA10ADA72FFB6F88F5FD8829trueMicrosoft CorporationValid 734700x8000000000000000109967761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.093{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\vcruntime140_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140_clr0400.dllMD5=63936588122BDEE9624D02CE3F8F54EA,SHA256=21F7E6165CE8DD92DB8CDF48CEE83DE64B2B0807B7B499CF87678B70C6F8C32F,IMPHASH=CD244BF7A749BF0B13E038D2EE842BFCtrueMicrosoft CorporationValid 734700x8000000000000000109967760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.093{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll4.8.4350.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationclr.dllMD5=C18829F26EA42DB768E009F898D8EF00,SHA256=4CDD240CECF8B403800DBE363E2189622BD7FC69CA1867AC5C3E61210D8E0E49,IMPHASH=2BC2B098BC197051D6B424CC7B54426FtrueMicrosoft CorporationValid 734700x8000000000000000109967759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.093{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000109967758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.093{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000109967757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.093{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000109967756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.093{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45E,IMPHASH=005299FA213F652A596AC31760C5340BtrueMicrosoft CorporationValid 734700x8000000000000000109967755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.093{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000109967754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.093{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBC,IMPHASH=12E8F895FFFE1065F24D148EC1ED3096trueMicrosoft WindowsValid 734700x8000000000000000109967753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.093{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000109967752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.093{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000109967751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.093{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000109967750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.093{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000109967749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.093{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000109967748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.093{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109967747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.093{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000109967746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.093{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000109967745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.093{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000109967744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.093{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\atl.dll3.05.2284ATL Module for Windows XP (Unicode)Microsoft (R) Visual C++Microsoft CorporationATL.DLLMD5=C1B73181019C1E1F28F4161B5F198B7F,SHA256=C3678504437D23910C18D3680B05B4E819A2229BDD0E1E0567186C70D814560D,IMPHASH=5500EF6AAEED0FAA2DE0F3B65E67DE20trueMicrosoft WindowsValid 734700x8000000000000000109967743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.093{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000109967742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.093{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000109967741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.093{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000109967740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.093{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000109967739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.093{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000109967738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.093{3BF36828-26CE-6193-0099-01000000CC01}13086920C:\Windows\system32\conhost.exe{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109967737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.093{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000109967736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.093{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000109967735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.093{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000109967734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.093{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109967733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.093{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453trueMicrosoft WindowsValid 10341000x8000000000000000109967732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.093{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.093{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.093{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.078{3BF36828-97C9-6185-7D00-00000000CC01}49685004C:\Windows\system32\csrss.exe{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000109967728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.078{3BF36828-26DC-6193-0A99-01000000CC01}51765416C:\Windows\system32\cmd.exe{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000109967727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.093{3BF36828-26DC-6193-0B99-01000000CC01}6076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe [activator]::CreateInstance([type]::GetTypeFromCLSID(‘C08AFD90-F2A1-11D1-8455-00A0C91F3880’,’10.0.1.15’)).Document.Application.ShellExecute(‘cmd.exe’,’/c calc.exe’,’C:\windows\system32’,$null,0)C:\Users\Administrator\ATTACKRANGE\Administrator{3BF36828-97CB-6185-F909-080000000000}0x809f92HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{3BF36828-26DC-6193-0A99-01000000CC01}5176C:\Windows\System32\cmd.execmd /c powershell.exe [activator]::CreateInstance([type]::GetTypeFromCLSID(‘C08AFD90-F2A1-11D1-8455-00A0C91F3880’,’10.0.1.15’)).Document.Application.ShellExecute(‘cmd.exe’,’/c calc.exe’,’C:\windows\system32’,$null,0) 734700x8000000000000000109967726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.078{3BF36828-26DC-6193-0A99-01000000CC01}5176C:\Windows\System32\cmd.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000109967725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.078{3BF36828-26CE-6193-0099-01000000CC01}13086920C:\Windows\system32\conhost.exe{3BF36828-26DC-6193-0A99-01000000CC01}5176C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000109967724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.078{3BF36828-26DC-6193-0A99-01000000CC01}5176C:\Windows\System32\cmd.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000109967723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.078{3BF36828-26DC-6193-0A99-01000000CC01}5176C:\Windows\System32\cmd.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000109967722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.078{3BF36828-26DC-6193-0A99-01000000CC01}5176C:\Windows\System32\cmd.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000109967721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.078{3BF36828-26DC-6193-0A99-01000000CC01}5176C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37AtrueMicrosoft WindowsValid 10341000x8000000000000000109967720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.078{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.078{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.078{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.078{3BF36828-9799-6185-0C00-00000000CC01}844948C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.078{3BF36828-97C9-6185-7D00-00000000CC01}49683244C:\Windows\system32\csrss.exe{3BF36828-26DC-6193-0A99-01000000CC01}5176C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000109967715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.078{3BF36828-26CE-6193-FF98-01000000CC01}5016896C:\Windows\system32\cmd.exe{3BF36828-26DC-6193-0A99-01000000CC01}5176C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000109967714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:52.086{3BF36828-26DC-6193-0A99-01000000CC01}5176C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd /c powershell.exe [activator]::CreateInstance([type]::GetTypeFromCLSID(‘C08AFD90-F2A1-11D1-8455-00A0C91F3880’,’10.0.1.15’)).Document.Application.ShellExecute(‘cmd.exe’,’/c calc.exe’,’C:\windows\system32’,$null,0)C:\Users\Administrator\ATTACKRANGE\Administrator{3BF36828-97CB-6185-F909-080000000000}0x809f92HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{3BF36828-26CE-6193-FF98-01000000CC01}5016C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x800000000000000056917393Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.871{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA9B8AD667F8FDBB596AEB820AB4C731,SHA256=2A6AC69BE2AC75724AACB06C61F52FC722EB5102CEADEDFBDFC23373B4A68272,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000109967853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:53.515{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-94A1-6192-9587-01000000CC01}5312C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:53.515{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-94A1-6192-9587-01000000CC01}5312C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:53.515{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-94A1-6192-9587-01000000CC01}5312C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:53.515{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-94A1-6192-9587-01000000CC01}5312C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:53.515{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-94A1-6192-9587-01000000CC01}5312C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:53.515{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-94A1-6192-9587-01000000CC01}5312C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:53.515{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-94A1-6192-9587-01000000CC01}5312C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:53.515{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-94A1-6192-9587-01000000CC01}5312C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:53.515{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-94A1-6192-9587-01000000CC01}5312C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:53.515{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-94A1-6192-9587-01000000CC01}5312C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:53.515{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-94A1-6192-9587-01000000CC01}5312C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:53.515{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-94A1-6192-9587-01000000CC01}5312C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:53.515{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-94A1-6192-9587-01000000CC01}5312C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109967840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:53.515{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-94A1-6192-9587-01000000CC01}5312C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000109967839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:53.359{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7402B13E4FF47D63BAA0FB9D33620305,SHA256=81F11C59F794FF0B1043F8F28A198FDD1A2429BC58025EE5A9A396EF83C9613D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056917392Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.418{B81B27B7-2354-6193-7C00-00000000CB01}45364636C:\Windows\system32\taskhostw.exe{B81B27B7-26DD-6193-3A01-00000000CB01}4188C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917391Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.418{B81B27B7-2354-6193-7C00-00000000CB01}45364636C:\Windows\system32\taskhostw.exe{B81B27B7-26DD-6193-3A01-00000000CB01}4188C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917390Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.418{B81B27B7-2355-6193-8000-00000000CB01}48524908C:\Windows\Explorer.EXE{B81B27B7-26DD-6193-3A01-00000000CB01}4188C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b3175|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917389Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.418{B81B27B7-2355-6193-8000-00000000CB01}48524908C:\Windows\Explorer.EXE{B81B27B7-26DD-6193-3A01-00000000CB01}4188C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b308e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917388Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.418{B81B27B7-2355-6193-8000-00000000CB01}48524908C:\Windows\Explorer.EXE{B81B27B7-26DD-6193-3A01-00000000CB01}4188C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917387Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.418{B81B27B7-2355-6193-8000-00000000CB01}48525068C:\Windows\Explorer.EXE{B81B27B7-26DD-6193-3A01-00000000CB01}4188C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b3175|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917386Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.418{B81B27B7-2355-6193-8000-00000000CB01}48525068C:\Windows\Explorer.EXE{B81B27B7-26DD-6193-3A01-00000000CB01}4188C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b308e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917385Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.418{B81B27B7-2355-6193-8000-00000000CB01}48525068C:\Windows\Explorer.EXE{B81B27B7-26DD-6193-3A01-00000000CB01}4188C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917384Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.418{B81B27B7-2355-6193-8000-00000000CB01}48525068C:\Windows\Explorer.EXE{B81B27B7-26DD-6193-3A01-00000000CB01}4188C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917383Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.418{B81B27B7-2355-6193-8000-00000000CB01}48525048C:\Windows\Explorer.EXE{B81B27B7-26DD-6193-3A01-00000000CB01}4188C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917382Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.418{B81B27B7-2355-6193-8000-00000000CB01}48525048C:\Windows\Explorer.EXE{B81B27B7-26DD-6193-3A01-00000000CB01}4188C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917381Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.418{B81B27B7-2355-6193-8000-00000000CB01}48525048C:\Windows\Explorer.EXE{B81B27B7-26DD-6193-3A01-00000000CB01}4188C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917380Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.418{B81B27B7-2355-6193-8000-00000000CB01}48525048C:\Windows\Explorer.EXE{B81B27B7-26DD-6193-3A01-00000000CB01}4188C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056917379Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.273{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0D6DD7AD248B716C9C631CC2946914C,SHA256=734D84E859C2A6C5720E94E9D6B0878B1FAC47E2EEE6724C9D82D7AE8AA824D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056917378Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.221{B81B27B7-2344-6193-1600-00000000CB01}11043036C:\Windows\system32\svchost.exe{B81B27B7-26DD-6193-3A01-00000000CB01}4188C:\Windows\System32\win32calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917377Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.221{B81B27B7-2344-6193-1600-00000000CB01}11041156C:\Windows\system32\svchost.exe{B81B27B7-26DD-6193-3A01-00000000CB01}4188C:\Windows\System32\win32calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917376Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.205{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917375Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.205{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917374Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.205{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917373Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.205{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917372Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.205{B81B27B7-2352-6193-6F00-00000000CB01}39763304C:\Windows\system32\csrss.exe{B81B27B7-26DD-6193-3A01-00000000CB01}4188C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056917371Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.205{B81B27B7-26DD-6193-3901-00000000CB01}48045488C:\windows\system32\calc.exe{B81B27B7-26DD-6193-3A01-00000000CB01}4188C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e61f|C:\Windows\System32\windows.storage.dll+16e295|C:\Windows\System32\windows.storage.dll+16dd86|C:\Windows\System32\windows.storage.dll+16f1f8|C:\Windows\System32\windows.storage.dll+16dbae|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\windows.storage.dll+1664ae|C:\Windows\System32\windows.storage.dll+1661a2|C:\Windows\System32\SHELL32.dll+90ee1|C:\Windows\System32\SHELL32.dll+8fd46|C:\Windows\System32\SHELL32.dll+d0c11|C:\Windows\System32\SHELL32.dll+b6e2e|C:\Windows\System32\SHELL32.dll+8ebd3|C:\Windows\System32\SHELL32.dll+8ea9b|C:\Windows\System32\SHELL32.dll+8e3b7|C:\Windows\System32\SHELL32.dll+6c57e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 154100x800000000000000056917370Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.206{B81B27B7-26DD-6193-3A01-00000000CB01}4188C:\Windows\System32\win32calc.exe10.0.14393.0 (rs1_release.160715-1616)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationWIN32CALC.EXE"C:\Windows\System32\win32calc.exe" C:\windows\system32\ATTACKRANGE\REED_SCHMIDT{B81B27B7-2353-6193-A0BF-070000000000}0x7bfa02MediumMD5=B31A19BA38F110838119299B50517073,SHA256=D7B378A4BC4DEAE748462D216D14A20CCB1BAC1D3FFBC67711DB2CC1D8B182B7,IMPHASH=83A6FF176255FE0F3F902360860DA5F8{B81B27B7-26DD-6193-3901-00000000CB01}4804C:\Windows\System32\calc.execalc.exe 10341000x800000000000000056917369Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.190{B81B27B7-2343-6193-0C00-00000000CB01}6521988C:\Windows\system32\lsass.exe{B81B27B7-26DD-6193-3901-00000000CB01}4804C:\windows\system32\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917368Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.190{B81B27B7-2343-6193-0C00-00000000CB01}6521988C:\Windows\system32\lsass.exe{B81B27B7-26DD-6193-3901-00000000CB01}4804C:\windows\system32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917367Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.158{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-26DD-6193-3901-00000000CB01}4804C:\windows\system32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917366Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.158{B81B27B7-2344-6193-1600-00000000CB01}11043036C:\Windows\system32\svchost.exe{B81B27B7-26DD-6193-3901-00000000CB01}4804C:\windows\system32\calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917365Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.158{B81B27B7-2344-6193-1600-00000000CB01}11041156C:\Windows\system32\svchost.exe{B81B27B7-26DD-6193-3901-00000000CB01}4804C:\windows\system32\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917364Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.127{B81B27B7-25AA-6193-FB00-00000000CB01}53604224C:\Windows\system32\svchost.exe{B81B27B7-26DD-6193-3901-00000000CB01}4804C:\windows\system32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114e56|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917363Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.096{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917362Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.096{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917361Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.096{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917360Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.096{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917359Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.096{B81B27B7-2352-6193-6F00-00000000CB01}39763684C:\Windows\system32\csrss.exe{B81B27B7-26DD-6193-3901-00000000CB01}4804C:\windows\system32\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056917358Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.096{B81B27B7-26DD-6193-3701-00000000CB01}26485896C:\Windows\System32\cmd.exe{B81B27B7-26DD-6193-3901-00000000CB01}4804C:\windows\system32\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\cmd.exe+f1e1|C:\Windows\System32\cmd.exe+11a37|C:\Windows\System32\cmd.exe+cb0d|C:\Windows\System32\cmd.exe+c295|C:\Windows\System32\cmd.exe+f916|C:\Windows\System32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056917357Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.099{B81B27B7-26DD-6193-3901-00000000CB01}4804C:\Windows\System32\calc.exe10.0.14393.4169 (rs1_release.210107-1130)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXEcalc.exeC:\windows\system32\ATTACKRANGE\REED_SCHMIDT{B81B27B7-2353-6193-A0BF-070000000000}0x7bfa02MediumMD5=2A5CC198FEFC04C2B6B95207A91D3668,SHA256=04FA16D1FBB5F047E7BF9756E8DDC1365AFEAAB22DD4A2C3F03E067B75BED8EA,IMPHASH=3843C3D4A5A7D1045ABE9A4BFCFAAB28{B81B27B7-26DD-6193-3701-00000000CB01}2648C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c calc.exe 10341000x800000000000000056917356Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.080{B81B27B7-2344-6193-1600-00000000CB01}11043036C:\Windows\system32\svchost.exe{B81B27B7-26DD-6193-3801-00000000CB01}3348C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917355Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.080{B81B27B7-2344-6193-1600-00000000CB01}11041156C:\Windows\system32\svchost.exe{B81B27B7-26DD-6193-3801-00000000CB01}3348C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917354Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.065{B81B27B7-26DD-6193-3801-00000000CB01}33483700C:\Windows\system32\conhost.exe{B81B27B7-26DD-6193-3701-00000000CB01}2648C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917353Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.065{B81B27B7-2352-6193-6F00-00000000CB01}39763304C:\Windows\system32\csrss.exe{B81B27B7-26DD-6193-3801-00000000CB01}3348C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056917352Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.065{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917351Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.065{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917350Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.065{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917349Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.065{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917348Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.065{B81B27B7-2352-6193-6F00-00000000CB01}39763684C:\Windows\system32\csrss.exe{B81B27B7-26DD-6193-3701-00000000CB01}2648C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056917347Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.049{B81B27B7-2355-6193-8000-00000000CB01}48525248C:\Windows\Explorer.EXE{B81B27B7-26DD-6193-3701-00000000CB01}2648C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e61f|C:\Windows\System32\windows.storage.dll+16e295|C:\Windows\System32\windows.storage.dll+16dd86|C:\Windows\System32\windows.storage.dll+16f1f8|C:\Windows\System32\windows.storage.dll+16dbae|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\SHELL32.dll+8e49f|C:\Windows\System32\SHELL32.dll+8e32c|C:\Windows\System32\SHELL32.dll+6c57e|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056917346Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:53.062{B81B27B7-26DD-6193-3701-00000000CB01}2648C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" /c calc.exeC:\windows\system32\ATTACKRANGE\REED_SCHMIDT{B81B27B7-2353-6193-A0BF-070000000000}0x7bfa02MediumMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{B81B27B7-2355-6193-8000-00000000CB01}4852C:\Windows\explorer.exeC:\Windows\Explorer.EXE 23542300x8000000000000000109967838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:53.125{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CAF8854E2A7FF2E18CEA5A6F03880434,SHA256=219D51482A3DF465F4E3E5AC398CD4178CF46E8B4F3EC6211172652623775ABC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109967837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:53.078{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DB243C01AE24C70DFCD8CEC17583443,SHA256=ED6CE4FE1CEEF82FEDB74D670AE07425B80134B8C2DEA7B920DB337D53D9DED8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109967836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:53.078{3BF36828-26DC-6193-0B99-01000000CC01}6076ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917404Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:54.918{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80D0A4A2BEE5E667D22E7CA0FFFF7AD7,SHA256=1753BF48AA47981198C0B05A4BB937E010995F9495977F27D47F0B279124583C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109967856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:35:07.438{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58730-false10.0.1.12-8000- 23542300x8000000000000000109967855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:54.359{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F7A2E42B6D5937244915335F3B5FF13,SHA256=FA92D5021D15AC1662DC9E4A9E5F07258B9048266A9153D009EF5FE71C9AE8FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917403Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:54.168{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6B4CACF4C0E6BEB8FB95755D70AD4B86,SHA256=055F20E20C6C6F60E8D8AA28B0DC8665C13FBAC0B871BF1DD135299D004D0C26,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917402Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:54.168{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B89164DEDAF2503F2FC7A8E63D5D4458,SHA256=8F999F60049BDAC9682D9D95F67BF0B4F321ACAE2179CCABF2C807E0EA88E611,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056917401Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:54.105{B81B27B7-2346-6193-3000-00000000CB01}32043224C:\Windows\system32\conhost.exe{B81B27B7-26DE-6193-3B01-00000000CB01}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917400Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:54.105{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917399Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:54.105{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917398Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:54.105{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917397Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:54.105{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917396Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:54.105{B81B27B7-2343-6193-0500-00000000CB01}416536C:\Windows\system32\csrss.exe{B81B27B7-26DE-6193-3B01-00000000CB01}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056917395Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:54.105{B81B27B7-2345-6193-2800-00000000CB01}22644024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-26DE-6193-3B01-00000000CB01}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056917394Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:54.106{B81B27B7-26DE-6193-3B01-00000000CB01}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-2343-6193-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000109967854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:54.156{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9592445413A4BECF9D7E0A981CAA2AED,SHA256=4B573003D3A77824D56AB15655DB4E1EF36B52A71C0FC90EB6546883268B9A40,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056917425Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:55.980{B81B27B7-26DF-6193-3D01-00000000CB01}51963904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056917424Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:55.949{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32C4FFA3ECE0B01DE3C14C9C06B7889C,SHA256=5241C5D9944F6D34FD166B523532CBBAB22AF1F4C88735858219E49ED058FAEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109967860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:55.718{3BF36828-9799-6185-1100-00000000CC01}424NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=FBA188F48138F690EC26893308911516,SHA256=D3B09AC840D8F87E5A5A628B7D6E1EBAFF4488FB852566294B380B201838417A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109967859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:55.406{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BBC5124FF3D3947A16A6D368E121FA4,SHA256=5146881D4F56182541DA13F230443121684D6B2EAAB7A709DEA90E81E8FE4E17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109967858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:35:07.149{00000000-0000-0000-0000-000000000000}6076<unknown process>-tcptruefalse10.0.1.14win-dc-128.attackrange.local58729-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal50023- 354300x8000000000000000109967857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:35:06.895{00000000-0000-0000-0000-000000000000}6076<unknown process>-tcptruefalse10.0.1.14win-dc-128.attackrange.local58728-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal50023- 10341000x800000000000000056917423Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:55.824{B81B27B7-2346-6193-3000-00000000CB01}32043224C:\Windows\system32\conhost.exe{B81B27B7-26DF-6193-3D01-00000000CB01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917422Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:55.824{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917421Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:55.824{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917420Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:55.824{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917419Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:55.824{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917418Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:55.824{B81B27B7-2343-6193-0500-00000000CB01}416780C:\Windows\system32\csrss.exe{B81B27B7-26DF-6193-3D01-00000000CB01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056917417Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:55.824{B81B27B7-2345-6193-2800-00000000CB01}22644024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-26DF-6193-3D01-00000000CB01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056917416Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:55.825{B81B27B7-26DF-6193-3D01-00000000CB01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-2343-6193-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056917415Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:55.246{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5363238B584E70599191C1CD3F9B97E9,SHA256=1308FE10F84B88831396F565134C47B321F1560BA424E2897E298C7AE2715BB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056917414Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:44.739{B81B27B7-2355-6193-8000-00000000CB01}4852C:\Windows\explorer.exeATTACKRANGE\REED_SCHMIDTtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal58729-false10.0.1.15win-host-987.attackrange.local50023- 354300x800000000000000056917413Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:44.485{B81B27B7-2355-6193-8000-00000000CB01}4852C:\Windows\explorer.exeATTACKRANGE\REED_SCHMIDTtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal58728-false10.0.1.15win-host-987.attackrange.local50023- 10341000x800000000000000056917412Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:55.152{B81B27B7-2346-6193-3000-00000000CB01}32043224C:\Windows\system32\conhost.exe{B81B27B7-26DF-6193-3C01-00000000CB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917411Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:55.152{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917410Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:55.152{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917409Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:55.152{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917408Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:55.152{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917407Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:55.152{B81B27B7-2343-6193-0500-00000000CB01}416432C:\Windows\system32\csrss.exe{B81B27B7-26DF-6193-3C01-00000000CB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056917406Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:55.152{B81B27B7-2345-6193-2800-00000000CB01}22644024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-26DF-6193-3C01-00000000CB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056917405Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:55.153{B81B27B7-26DF-6193-3C01-00000000CB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-2343-6193-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056917427Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:56.949{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66377317D2873D429496691F96F52A11,SHA256=7257B23697B09F9D138D433BF46F34FFEF5DBD6744C7F8625484041D995EF0FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109967862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:56.406{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80FCD7660717006304321E1F56FCF56E,SHA256=B45F57CE1B791A61CF21DF8804AD18CBC6584F209313105D30DF1088C452300D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917426Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:56.527{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B7761BAE39DFCF5674E4542573B9D41,SHA256=1575544FB33D118007B29648E8798A2F283A8BE4D6C053D01BE7A54715AD2160,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000109967861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:56.140{3BF36828-9799-6185-0D00-00000000CC01}9044232C:\Windows\system32\svchost.exe{3BF36828-9799-6185-0C00-00000000CC01}844C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000109967864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:57.421{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4552DE6A42813E6DD3934200C4B0608F,SHA256=9409085F8E0885EECEBA3990C7A236E930E5C91D18ED6D39D7F2EE3823D1461E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056917437Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:57.684{B81B27B7-26E1-6193-3E01-00000000CB01}41202236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917436Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:57.543{B81B27B7-2346-6193-3000-00000000CB01}32043224C:\Windows\system32\conhost.exe{B81B27B7-26E1-6193-3E01-00000000CB01}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917435Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:57.543{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917434Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:57.543{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917433Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:57.543{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917432Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:57.543{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917431Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:57.543{B81B27B7-2343-6193-0500-00000000CB01}416536C:\Windows\system32\csrss.exe{B81B27B7-26E1-6193-3E01-00000000CB01}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056917430Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:57.543{B81B27B7-2345-6193-2800-00000000CB01}22644024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-26E1-6193-3E01-00000000CB01}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056917429Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:57.544{B81B27B7-26E1-6193-3E01-00000000CB01}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-2343-6193-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000056917428Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:46.913{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50024-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000109967863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:57.062{3BF36828-989D-6185-BF00-00000000CC01}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109967867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:35:11.267{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58731-false10.0.1.12-8089- 23542300x8000000000000000109967866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:58.656{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5F22000A127B3888B1911797257EAF8,SHA256=F83FF626D2B9F38CB63340E0F5D80FE0224930B4CB4FD2F1D90C7A6FFA043C15,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056917448Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:58.602{B81B27B7-26E2-6193-3F01-00000000CB01}57405716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056917447Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:58.555{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9214008E466E3A1334408C94224652E3,SHA256=F10F2AD525B7997E791D7614EF31BEC170A42636D27BFFF247DCBE1605264636,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056917446Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:58.446{B81B27B7-2346-6193-3000-00000000CB01}32043224C:\Windows\system32\conhost.exe{B81B27B7-26E2-6193-3F01-00000000CB01}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917445Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:58.446{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917444Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:58.446{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917443Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:58.446{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917442Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:58.446{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917441Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:58.446{B81B27B7-2343-6193-0500-00000000CB01}416432C:\Windows\system32\csrss.exe{B81B27B7-26E2-6193-3F01-00000000CB01}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056917440Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:58.446{B81B27B7-2345-6193-2800-00000000CB01}22644024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-26E2-6193-3F01-00000000CB01}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056917439Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:58.447{B81B27B7-26E2-6193-3F01-00000000CB01}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-2343-6193-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056917438Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:58.165{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9ACECD627914DD67B74797B2CCAC991,SHA256=D88436194BFC0EA2D5FED131DDC72EAB965EF32C77C1DD46AB381E5E0413D9D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109967865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:58.078{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=428CF5C7350477FC415AF17B6113F4BC,SHA256=F987D1A291D46035E4D1BA4ADAD998B184F04FB87019E3A5B4C14A6708C0CD11,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109967868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:34:59.750{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A46A824EB162765FE7A43030EA9D1FC,SHA256=788056C0B4446F460AB0C5AFB6FD7BD99CF928AF06647392FC3F7C09664B633D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917459Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:59.715{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D82BA99533FF5D8E9634D64B7C21C0F,SHA256=A077CDA2A88FD0199AADE796ABDE74CA48879D2D314AB492EF93781F2A107D3A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056917458Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:59.277{B81B27B7-26E3-6193-4001-00000000CB01}60884216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056917457Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:59.199{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9BD81F70D96B072B7E3AD142F6C3ACB,SHA256=E14E1F3B7390599632732E735D5580E804954AC7724D1B6ECBAAD3F34C8DFC45,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056917456Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:59.121{B81B27B7-2346-6193-3000-00000000CB01}32043224C:\Windows\system32\conhost.exe{B81B27B7-26E3-6193-4001-00000000CB01}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917455Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:59.121{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917454Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:59.121{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917453Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:59.121{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917452Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:59.121{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917451Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:59.121{B81B27B7-2343-6193-0500-00000000CB01}416536C:\Windows\system32\csrss.exe{B81B27B7-26E3-6193-4001-00000000CB01}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056917450Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:59.121{B81B27B7-2345-6193-2800-00000000CB01}22644024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-26E3-6193-4001-00000000CB01}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056917449Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:59.122{B81B27B7-26E3-6193-4001-00000000CB01}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-2343-6193-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000109967871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:35:13.470{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58732-false10.0.1.12-8000- 23542300x8000000000000000109967870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:35:00.765{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24C5384C03110580E450F6324F74923F,SHA256=A1FCC23D2FED55D95E6EDF184AADEEC22EFEFBBD89BAA27E58BDB16BE83ECB33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000056917468Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:35:00.574{B81B27B7-2346-6193-3000-00000000CB01}32043224C:\Windows\system32\conhost.exe{B81B27B7-26E4-6193-4101-00000000CB01}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917467Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:35:00.574{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917466Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:35:00.574{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917465Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:35:00.574{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917464Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:35:00.574{B81B27B7-2344-6193-0D00-00000000CB01}760912C:\Windows\system32\svchost.exe{B81B27B7-2345-6193-2300-00000000CB01}2188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056917463Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:35:00.574{B81B27B7-2343-6193-0500-00000000CB01}416536C:\Windows\system32\csrss.exe{B81B27B7-26E4-6193-4101-00000000CB01}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056917462Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:35:00.574{B81B27B7-2345-6193-2800-00000000CB01}22644024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-26E4-6193-4101-00000000CB01}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056917461Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:35:00.575{B81B27B7-26E4-6193-4101-00000000CB01}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-2343-6193-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-2345-6193-2800-00000000CB01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056917460Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:35:00.355{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=156830217C17D2A80543BD726C2D8A0B,SHA256=23B39C2C1147202D78738100723C7115F1957E33BBEDCC4A73FCE5D88948BA33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109967869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:35:00.281{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3AC5BE3789BD5AB17292F46D53D50A3,SHA256=789A9DF4810F8BB985E0D14D02AA9200FB321CCB3629A3FD906A3BEA9938271E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109967872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:35:01.765{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=791A23B953F963563EAF3E81BF683486,SHA256=B5DB533B4CA98809E7F7ADB2184F3C622403816C5024524FA3924B7865AFCB84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917470Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:35:01.590{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4254D64483E3F452AA16ACB43D6B33CD,SHA256=543D079463D07054CFE8AB5286B2EABFE65ADA40F9469BFE4C64F78E137310E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917469Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:35:01.449{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=817C1BBBD9960B4B63F8B5AF86460767,SHA256=72BA64A9C72ADE06B9BBD1457A064EE42241ECAFE8081012D2D2B248616B2A81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109967873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:35:02.828{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59828F9505049922CDBAC6214CD86DF3,SHA256=DBC5A5EDAFC7BB9CA7F9A8E34A764E8FC56B160AD68462B671B376A32780DB2F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917472Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:35:02.465{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9156A55CCF433AEB0D4B5778E585E9CB,SHA256=03C0786DB03CA7929BA612BDE3BA5A4863E04C95D09E6B6EF51706816D5F60F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056917471Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:51.944{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50025-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000056917473Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:35:03.496{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96882F336AB8275723C847E7B7B9438F,SHA256=F3F8152C70FE9FC4604BED4AA536E56CB8BC6EA49E0A57556361DC32E7AF136B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000056917475Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-16 03:35:04.606{B81B27B7-2344-6193-1300-00000000CB01}720C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7da9a-0xf1ba63cb) 23542300x800000000000000056917474Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:35:04.496{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB3716017629797461EEBDE67207C827,SHA256=3185EEAA3A6ABBA80E8F43D0213BE5CD959A361713A074BDEC2098427FF16F05,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109967875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:35:04.609{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9740E9FBCF4A1F4E4608DE4AD01C4B1E,SHA256=5BB97874821A96A59624C3450E5A18482F552808EB98763581B7C72D814F71F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109967874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:35:04.046{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2C3F9564DB380747B671D88E5B64316,SHA256=D2CDB16A0FC6F38A043CC9E4ADEC8E4939AF7600E95CF945C8AB48A0E1A6AF47,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917476Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:35:05.527{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BEEBB1B16674A48FC734898818D1ADD,SHA256=8D68DD205BFDE00844BF76C905EDBBA73B7AC4660CB7F1D31BA1F3301BE9FD1D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109967876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:35:05.140{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBDF14FD3D4D56C70CCC2AB60A9DC024,SHA256=FEDF67314C5D38A35527AA5F602E4A79E320F7D1E8D12625E07B1929D33CF69F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917478Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:35:06.559{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90278B604CAE31650BB537BF60BB250E,SHA256=0CAB0D7E57371028E51A642C5DB48D7AB01166C896C70EA7BE7ED1712335EF7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000109967879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:35:19.392{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local58733-false10.0.1.12-8000- 23542300x8000000000000000109967878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:35:06.171{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B10B12F5A63DFB83478FEFA87E10D3F9,SHA256=D954D2272429B88C1B1179DC0D95F91FDDB4F1AE20FDAE2D5F2A0CA69F89B491,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109967877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:35:06.156{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9BD0904FEF30882AC750E394D74AC49,SHA256=8CC1751C9EDC8BF5B8504EE2D17E04EA737C93E03240DA4A2D4B674DC36E2B71,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917477Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:35:06.340{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A0F6A0B8E2A21B88FEF4E771529F71B,SHA256=D964FC388D8B1EF02A6F967061B23195C40F3B98CE8C75A359ADD9DCC734F6E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917480Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:35:07.574{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B161DB171567347677183A679F7FF01,SHA256=7988D8459A8C02615D7DAD660214476B0178D8A8D90B9E560FFECE9451BC54E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109967880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:35:07.375{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=861EE074AB6ED99A26B8358996D56E3F,SHA256=EAC50C4D747DA005C8EBB89194572EAD6673F4A55D22B7EBEFD1BD643A510D18,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000056917479Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:34:56.959{B81B27B7-2350-6193-6B00-00000000CB01}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local50026-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000109967881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:35:08.562{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF9B71EBE5E34A22C7F0601AF79898C1,SHA256=937542DD7E304CFB3C1DE0FDC4E8913B104E1F78974EDC08957E731E8853847D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917481Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:35:08.590{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=652EB42B888FA47D33296C78AEB202D5,SHA256=D1804201D302314E4B6A8DB5EB754EFC0038A754B3C61575DADDF288787681CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109967883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:35:09.774{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC88AA0FC05D3A007D6B513D4564227A,SHA256=2453A9F453F84AB3D27F4500E4AFA1740614D5732DE6F8ED213E98CE2A879FE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917482Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:35:09.621{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A56FA1805C6F7439DD64C6B13A28BB8,SHA256=984B0EC9376B71DF8273DC75B1719BBABC82ED9701C7E7B309182CFCE3306FBE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109967882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:35:09.618{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EFD36B2989799B270D0E92C77E238CC,SHA256=4D9181C2B59065CED735072D652CC19E69B095099C5E5DE59A1E9703212273AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000109967884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-16 03:35:10.774{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87EB07AB723456F6BDDA0B02E84281BB,SHA256=2EA14D5EE2D01E3B85BF6F14DC7A2A58B88550ADC8F43C76A86DBB88047A2375,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000056917483Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-16 03:35:10.637{B81B27B7-2357-6193-8800-00000000CB01}5124NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18582D736D473C0B0B8D9F0B2CA86745,SHA256=66E6FC61FF23705D50EADEC93FB8FC06E175A286D49934A7BC38A2468FA139C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space