23542300x8000000000000000107409016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:30:56.492{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C08771788FEFEAE72512264C16FFBE20,SHA256=6395DFAB5CC24AC0D4F4A321BEB80260612FF3EC721CE92E9EF6A6894C0D0B74,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055905352Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:30:56.389{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A4D0-618E-B342-01000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905351Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:30:56.389{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905350Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:30:56.389{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905349Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:30:56.389{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905348Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:30:56.389{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905347Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:30:56.389{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905346Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:30:56.389{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905345Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:30:56.389{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905344Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:30:56.389{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905343Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:30:56.389{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905342Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:30:56.389{B81B27B7-F665-6183-0500-00000000CA01}412428C:\Windows\system32\csrss.exe{B81B27B7-A4D0-618E-B342-01000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055905341Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:30:56.389{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A4D0-618E-B342-01000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055905340Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:30:56.374{B81B27B7-A4D0-618E-B342-01000000CA01}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107409017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:30:57.617{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99D6B30FAF8540059CA5117CEEF4DC9A,SHA256=FBB5EAABA393FD83CD70D65D0B5442F3FA4A3DF1CDE47983D425B6246A17DEB7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905369Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:30:57.404{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B360EF509D233EE5E76A6854AD5DFDED,SHA256=046E3CDF3466A4593CA31093E5394C64619B32F300FF0815A1551763E4BD964A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905368Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:30:57.404{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B62D506A8864B9AAD5470B220EB23970,SHA256=4B68357802421B45D13334B459CA368C59AC623DA7D0DA5832BB9912BAD5E91B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055905367Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:30:57.186{B81B27B7-A4D0-618E-B442-01000000CA01}32405432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055905366Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:30:57.076{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49035883837012815F1BED29FF4BFFE8,SHA256=2B8ED07A5620231CB66EAA52AF6C9D90ABC7DC25CE3FF236353791E01C0A24A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055905365Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:30:57.014{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A4D0-618E-B442-01000000CA01}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905364Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:30:56.998{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905363Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:30:56.998{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905362Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:30:56.998{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905361Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:30:56.998{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905360Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:30:56.998{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905359Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:30:56.998{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905358Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:30:56.998{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905357Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:30:56.998{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905356Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:30:56.998{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905355Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:30:56.998{B81B27B7-F665-6183-0500-00000000CA01}4122712C:\Windows\system32\csrss.exe{B81B27B7-A4D0-618E-B442-01000000CA01}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055905354Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:30:56.998{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A4D0-618E-B442-01000000CA01}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055905353Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:30:56.983{B81B27B7-A4D0-618E-B442-01000000CA01}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107409018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:30:58.695{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAA2E5061686833113B9529031C8C432,SHA256=76FFA80ED316D9D291BFA4848199F09687C8450015E2F2E11F015258DBB75BB8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905370Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:30:58.139{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=799C77A3D1BC25B239BF23EC4B1412EB,SHA256=9FED17EA59A69AF2B2D23E482FBCA23550372CFFF1DA7932985E9622358DF9E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055905372Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:30:38.654{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62964-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055905371Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:30:59.357{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8149C79E138D23C58CF8481D9ACD9018,SHA256=541ED2A24AF0250683C757965A0E548F9000220697BBED013FF6280444401A2E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:30:59.695{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3436C2891641592764910CB67D481E8B,SHA256=3DDA2AB96CCB408E8BDEB79BC288375042DDFF80AB7FF573E9B0B69F2F4680BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107409023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:08.478{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61639-false10.0.1.12-8000- 23542300x8000000000000000107409022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:00.695{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F4737876103A14CEBA8C0740B4B12D0,SHA256=7651E3FCBC0FBC00506FB2A5396C2498EB436C76CD416366673220835B3162A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055905402Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:00.967{B81B27B7-A4D4-618E-B642-01000000CA01}4772968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905401Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:00.779{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A4D4-618E-B642-01000000CA01}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905400Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:00.779{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905399Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:00.779{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905398Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:00.779{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905397Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:00.779{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905396Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:00.779{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905395Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:00.779{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905394Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:00.779{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905393Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:00.779{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905392Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:00.779{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905391Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:00.779{B81B27B7-F665-6183-0500-00000000CA01}412532C:\Windows\system32\csrss.exe{B81B27B7-A4D4-618E-B642-01000000CA01}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055905390Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:00.779{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A4D4-618E-B642-01000000CA01}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055905389Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:00.764{B81B27B7-A4D4-618E-B642-01000000CA01}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055905388Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:00.436{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=163A4D030DD15BBFC0B994F263E8307D,SHA256=02FCF1BDE7BC4C99B2D81AB517E0B9FCD3C3AA8F7D86189A17EF2437318F4976,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055905387Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:00.326{B81B27B7-A4D4-618E-B542-01000000CA01}36803184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055905386Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:00.217{B81B27B7-F666-6183-1100-00000000CA01}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=01A5AC4C605605C6E35B3483725442BE,SHA256=1433F96EEB3533DC2C5A7FCC677CDAD8954F417EA1BD0E9E7A38F097D1A49226,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055905385Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:00.092{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A4D4-618E-B542-01000000CA01}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905384Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:00.092{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905383Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:00.092{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905382Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:00.092{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905381Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:00.092{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905380Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:00.092{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905379Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:00.092{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905378Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:00.092{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905377Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:00.092{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905376Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:00.092{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905375Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:00.092{B81B27B7-F665-6183-0500-00000000CA01}412532C:\Windows\system32\csrss.exe{B81B27B7-A4D4-618E-B542-01000000CA01}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055905374Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:00.092{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A4D4-618E-B542-01000000CA01}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055905373Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:00.077{B81B27B7-A4D4-618E-B542-01000000CA01}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107409021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:00.086{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2FBA7AB43C021E6A7AF5BF2039D6998,SHA256=6CCF993147228AAEE086F2AB9DB2AF8802282D8B6123CB726235E5ED161CB849,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:00.086{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2315D642AE8973FC459FA727A4954B9,SHA256=C9C8CB4E70F81F3756962856DCA9F9F70B312977BB12E78C4BA78A02E380AC3A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:01.695{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E254AF178CC3038B504C568BE21B79DA,SHA256=6027AB189ADE89340C1765C2BC3118988C28E9A85C3F9B76AD508322DB97C007,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905417Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:01.499{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05626C92CC79A90AEE897636924623FB,SHA256=993C55C7F5DDEB67621EC9CA1AA760DE1D2C6581DFE9C6BD222A06C44930C9EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055905416Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:01.482{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A4D5-618E-B742-01000000CA01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905415Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:01.482{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905414Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:01.482{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905413Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:01.467{B81B27B7-F665-6183-0500-00000000CA01}412532C:\Windows\system32\csrss.exe{B81B27B7-A4D5-618E-B742-01000000CA01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055905412Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:01.467{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905411Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:01.467{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905410Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:01.467{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905409Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:01.467{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905408Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:01.467{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905407Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:01.467{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905406Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:01.467{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905405Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:01.467{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A4D5-618E-B742-01000000CA01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055905404Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:01.452{B81B27B7-A4D5-618E-B742-01000000CA01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055905403Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:01.092{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B360EF509D233EE5E76A6854AD5DFDED,SHA256=046E3CDF3466A4593CA31093E5394C64619B32F300FF0815A1551763E4BD964A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:02.820{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42C9414697423BF7FE781859F2AE2F3A,SHA256=1FC4180D506BF837702254D8E852A334F2BC9E7C3930A71E99498D4956AAD614,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905419Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:02.717{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D93224F76785CDA54CC4C8A91C602BD,SHA256=4EAC45910B83E14384D626C894A03262A6CCDB90E92E6BC618657E576DCB9502,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905418Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:02.545{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1A2F94C4F2D4DD23D0D5F80665ABDC7,SHA256=9E9EB5F017894B21F83FFCA22658D9D153FDFB45AB330731E3FD11B1B56BDE48,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905420Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:03.859{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FE0D98728323FFB13D6183AB019B2C2,SHA256=D22A2431C7E00BADC976C0BBE1C28BC02028BBC316EEF6D32964B8722C834516,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:03.086{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2FBA7AB43C021E6A7AF5BF2039D6998,SHA256=6CCF993147228AAEE086F2AB9DB2AF8802282D8B6123CB726235E5ED161CB849,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905421Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:04.937{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1AD19D9143D5998FB89D9BF21B5BCB1,SHA256=5C7263CEE7783B50D9AB15D497A325DD67768D6BFECD1DBBF43FDCF3DF7F1D9E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:04.039{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6764FC5363F092052CF3C2A816985A2F,SHA256=4ADFCEA090B2D185092D5ED3EA191B5E0CB69FCA2CDC8DD979BF168D4EE8D215,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905422Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:05.953{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=724A0DF7338A0194DE0AE850EE11818E,SHA256=C0188F5B122C272992A553FE27D13BFB19E5574F9BAB9E2185E3123AB39C650E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107409030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:13.478{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61640-false10.0.1.12-8000- 23542300x8000000000000000107409029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:05.274{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA3E3C46C6691C5CB54F767904383888,SHA256=12723F3AB3D78D9E4116D36AC5B7E6C477AB3A34FDBFB83012C0CBFAD9FFADFF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:05.274{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A3198E134122203505A8F1FF2186889,SHA256=0563F84F8B34A8F4403BDD2AE336B888B8D9E14833846E8093B74A4DC42083E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905424Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:06.968{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6186B5157B6885F80F0D3F7E51DE474,SHA256=961CB8D686D9E2613A52ED0A0566C28BBAF86445FFA6F101D4477FD157B65270,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:06.274{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03FC5F6DBE6F903E65D8BCA578267F53,SHA256=A138007166F4F8ADDDF912A5228FD0236682DA6A71010EF368E354032F7335FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055905423Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:30:44.637{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62965-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000107409031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:06.242{3BF36828-989D-6185-BF00-00000000CC01}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905425Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:07.981{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65C0C4C8EB6FAFB6470B0018FC761657,SHA256=F2E893A8A676897CB9ED234075C0DA1554DAB028A386EE7ADB23A2CFD4BD6BA3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107409037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:15.650{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61642-false10.0.1.12-8089- 354300x8000000000000000107409036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:15.463{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61641-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000107409035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:15.463{3BF36828-97A9-6185-2800-00000000CC01}2876C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61641-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x8000000000000000107409034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:07.452{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8ED10E67526BCC181DB116564C2B174,SHA256=D566AF1D21003EF4397D0A6A3DBE60E1072E0BAF12369AE9CF04AD29E8B4E841,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:07.070{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=103EA21211D7E31DF8D8329F1D0D5E14,SHA256=777034212EDD601A258E26CCA0F4CCC8DC66CAB0E3EBFFEA81D389071471EE18,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905426Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:08.997{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B9AA30610F4C75142CACC7F4F918213,SHA256=B96269B4686C7D72841048EB09A018B538AC54E38F7642515D068D4FBB0BBF22,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:08.483{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A9598A454D340CAE434C73D788CD25B,SHA256=DF629607AC0307CDF7AD71682F1DB333370A539F0183A3366559E45DA37D7EC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:08.092{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70641EBD5B62FB7831AE25F8F5AE2F6B,SHA256=57693B7DA62ADCFEBCE701BEA65BFFE4CBE73AB3CF10AAAA28DE1430027F0065,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:09.624{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1352C72CC0144FFF02B4E3682554A986,SHA256=085532F0311CA18EF013C4027C2AFE8C3E7F0DAE0841C94E25CF8DD6530820F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905427Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:10.216{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFEA02E0B252E564F7DBC111EEB775C0,SHA256=3982467ADCA89A27480E3159ED02F82F855882F1E55ECC394B8B3F14F86F1A80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107409043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:18.485{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61643-false10.0.1.12-8000- 23542300x8000000000000000107409042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:10.624{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48CEC0288ACD2EFF09A29634007C8F7B,SHA256=DC0E24FB15B0E9136218DC4AC6D5122227089A7D09C369DF82DA372BF8A5962C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:10.280{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B84F7828F07C42F85D3A091A48BCCC27,SHA256=578F0E62364E942DA97ED4908E523C51805DDA6AF050E0AE1BB9C9C9F0469D4A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:11.624{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4AD603FC94D4871E356638EE7909C9E,SHA256=D920C6D46033AE828C9BA9F4555262EEF683164F1E33F052C239172EE1A41510,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905429Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:11.356{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B539CB7B7ACF04F7265120C1C1B5C226,SHA256=9650BFAE4B6F809B4796C968B6A884DF00ED4459E3AAFC99E35A6A8971E57C96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055905428Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:30:49.775{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62966-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000107409045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:12.733{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD6D0D217D7AC1F3AD50877FF845AB65,SHA256=3BB19EFD5168536BF252E44BAD6F2ECDB32B75AAE998578F667C41DEB10636CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905430Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:12.419{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF92B899F4A73DFE73939EB9AE190346,SHA256=A8D7477ACF8E5AE23952221714A22D4DAF9A495D8BC1F9CAC6F22EFC60A13322,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:13.733{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F28B578010470F018E4E67E8C173EDC,SHA256=ADB3DEA952EEC14CC123A0194426F45F126B1971577C53691105AC22C8B0E0B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905431Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:13.435{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E72E548382C86E27E449773C03094FA,SHA256=35A5E2481516A39375A1C903387269CA89FFD621759CDA4026F5E5ACAD66EFE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905432Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:14.466{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0041689419BB59BEB3B65B4D4BACF943,SHA256=DC50D2C3B88AEEB36501EC97326F16561F705282617B4D29A52841E052AF0264,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:14.733{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C10276F108CA023A8D3BC19B13A5E6D,SHA256=37F3C1B0325680575E33A341EDEE984D0558524E96A138AA1677D497B52D3F30,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905433Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:15.482{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E30C4104927245763EEA9CCBC69F40A,SHA256=9764F8ABD4E42ADDD373E15ABB764A804756E4B7B8BEB6F2DAD275BED784C512,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:15.749{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34E85F9DD674E1AC931FA6B9956E8F38,SHA256=0DF9A5821F92E7163A563EBC73E96E7C33151AB4E7E7EEB8DD2E78894D3C6EDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:15.467{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8B4E54B2E7ABA9FC22E0193EA33A090,SHA256=06B9913287E0533571EBFA0B65B5E5AD7D79BAAF328C9E40D547A33930375AA6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:15.467{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7FEABDC5C86CF4B111D1C2CA0C8EFDA,SHA256=F783988B2E551AB939009732B2B43DD0297219F0BAE56E23842C57FAF0670E05,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:16.764{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81A9EACEDB9D04E189A554C413DE7A19,SHA256=128BB6C5EA1B6DE6A404ED07948220632B29CDF1BD96104EA509A39D2DC0536C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905435Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:16.514{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=527CBCBF8B8D628C1462379972B6D6C6,SHA256=C2922524DD7E72F44F7CB17C18D9D1928875C7426BA2620AC305E29FDBD9A94E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055905434Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:30:55.697{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62967-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000107409051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:23.656{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61644-false10.0.1.12-8000- 23542300x8000000000000000107409053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:17.780{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC5F6ADC5D8F784EC6A8B42B9373A0A7,SHA256=F46BF1AA04441590AA867521CD445650C1C9DBA034E69F9AA1407EFA4245CBCA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905436Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:17.542{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6AEFDC779434A346AABA72B53A6A682,SHA256=84781EECC58A5A72DC78D6EB63002BF28E80D28D39CF0FA86660C294E12917B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905437Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:18.548{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FA1E277CFBD2AD2C457AFA64B129173,SHA256=0B439072B664632C38E414C5703E42A8435134FB2B51D730B7E83D545BB40CAD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:18.780{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84A74AF2F76609F9D6746F5B41995A33,SHA256=BFF3DDA2734F1DC483C6BF03FDCBF7548577F1819E5A6DAC3C69D7ED88DA4D76,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905438Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:19.611{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5A2A967AC2EFA2BF850F1D861D23544,SHA256=136B440BBB86826067C7ACBE40AE853962DDE266999462AC70D65B17BE572E62,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:19.780{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86DF5C2F1B32DB6DD1F19BF443C5BBDA,SHA256=D5A2E8D329E85F29617BB31699EDECD411F077E7F3108F8DC6BC1275C5825D55,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:20.842{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C060FCB4839ED6679BA71978B973EE63,SHA256=34349965A19A532FDBA4A1B6AC679B50636204C1891328753B9AB4D37A694305,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905439Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:20.626{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E0E858DF1C09AD88A5D7A7973571373,SHA256=D4BEDBA6EF14714B486E09D31871C56ACFAD8F7BD60B11D5ACC7C91157EF33EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:20.671{3BF36828-9799-6185-1100-00000000CC01}424NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=44AE051269B1873A8D825A7F2F38DE41,SHA256=DFD54F810E1C3DDF0A651BE1A102155401A6072085B335C07B86A43F63747D89,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:21.842{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C6CFD3094EBC407B7E67C8EAEFAA017,SHA256=DF11B9E3089C2AC471D629B1E1A5531F2CC5DBB6485C964764606B10A836D4FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905440Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:21.642{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85CF98B294629C72998900F18D043898,SHA256=C7BFC4B661C5C5A8B798E05269B374BA5614026E83A9CABF68D0F8BBCCC7BB93,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:21.296{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF16B8FE0F96BD5A539F15D6525B3556,SHA256=28DEB9AD296A612138CA1ED9A4A1702EE1542B1CE6BD6CAF489D802B84D2A326,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:21.296{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8B4E54B2E7ABA9FC22E0193EA33A090,SHA256=06B9913287E0533571EBFA0B65B5E5AD7D79BAAF328C9E40D547A33930375AA6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:22.842{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=281B474F12BE523D42917FF5828682D9,SHA256=42BE65E8EC467D1BB58536692F1097F80B3D4D8B9E4E6E8E50C1D14874CB2D5F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905442Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:22.673{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=007A0F70B1D67D2B4EF7BBE4BB338E97,SHA256=69F396B257A804B63D294FB43EE63A2396AF4A159B6F327FFE67B1C25ADCB5A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107409061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:29.532{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61645-false10.0.1.12-8000- 354300x800000000000000055905441Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:01.732{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62968-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000107409064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:23.858{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B288E6BFEBB21CC3E65B1322334F1581,SHA256=A1005E35821C4206D1229C97FAED3C9FE5E358B980AA5FBF5B250D78193BD1C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905443Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:23.689{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A1679717280375ACAE0F2BC0BD12A8A,SHA256=FBD4C6BC6C18A5E8007B974901C2F659C045864C5B632365786F568757E4AAA7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:23.092{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF16B8FE0F96BD5A539F15D6525B3556,SHA256=28DEB9AD296A612138CA1ED9A4A1702EE1542B1CE6BD6CAF489D802B84D2A326,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905445Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:24.986{B81B27B7-F667-6183-2200-00000000CA01}1748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905444Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:24.720{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA826B53A39A11D02BC772D82D209F22,SHA256=D381089EA1B19C011F8612D09A00F46D646139AE5EFDE04909DACA6391C3376F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905446Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:25.736{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E82D65DCDBACB1C7C81AD80D7F0840F,SHA256=CAFAF93D9323477D0144749126A8413FB87F499DB57B6CA0EA14AB8121B95558,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:25.077{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=754659120D4FDF160D6054389F23695C,SHA256=76C70476140E48B937B58C0A4B57CDADBB2C21F3FDA440874EECB0E314CEACDD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905448Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:26.782{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2B6685B0658BA3D57F5BCEE56C1F406,SHA256=DED16BC8903A0AF0AB35380528456295AF57F088EB07003B01FB5D8EE5529794,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:26.124{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18F064D5F7534499BD525AFDF695638E,SHA256=3C9DE6F2667C85FD63D01C598C2CFC7B3FD3CAF3F17EFACBC0D8E730B2B8FE13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:26.077{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19E6CFB5A8AA762075671084653291B5,SHA256=DCAAB2461D66AAAC40DD77E7D9B10F699340EC155CD368B286D0CD96D497A5F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055905447Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:05.482{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62969-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000055905449Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:27.799{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B06812EA36BD5C4F99BB739CA095749B,SHA256=BDB29BD647B3A66AEE69445FA10A9F88073D02743D0AB04825FFCA85D4871966,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107409069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:34.547{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61646-false10.0.1.12-8000- 23542300x8000000000000000107409068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:27.077{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04831B2CA8467101F7D4FA1BA1BDFE0F,SHA256=1860B814ADA57DE5E12EEA6220CD69DB4A1B8FA6CCFAEB62BF6ADB182CC9DC2F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905450Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:28.861{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4964FC0A4060665F943854A04125D92B,SHA256=49D6966713B3817D152123724BECD900EFC4AF389FA6D620C6DAE01444AC38B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:28.316{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=493522EF5C8BCB0112F877B487E0BC33,SHA256=083D3A92DA7F93D165644734404D42072FE173E5FB0C11EBBB301D0BF88C6E25,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:28.129{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82C362F2EBB93E3550DA76761DA5AA9B,SHA256=BF0E3F81FA40A13861EDB474ABA4E6DA5FB1B7BCAD506128F94F68F8A8CE9E81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905452Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:29.893{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61ABF42EDAF594210A97494650F6BC01,SHA256=351812160DAC9CE525AA76AE54F5AF83D8CD969B0B28DAC50F9AD4A79DD7967D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:29.316{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8B49EB02A2AA692D573DEF507A92189,SHA256=2F16F42907D9432022AEC97ED8D81040AF8FC46650C448F0BD9FD76661ADA08F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055905451Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:07.655{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62970-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055905453Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:30.908{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BAE5232004B7B14D4FE13C713D5C4D7,SHA256=5A36275B1836D45C21DE94E7C719C90A8E305BB8F9BA8B9BBD89DCDE99C51039,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:30.488{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA8152A6C7116FA8BA36FF059AF3FC51,SHA256=C22521A3239D9F3AB8ABA4B7FE2681FC03E374A8DD21C3ECBA7BBBFAACE6F33D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905454Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:31.940{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA40D2C12A23AB9414362F878AC22FCB,SHA256=363D2AB431DE2533BCE09430BE17EFF185D1A6480E731A8060350ADB0A3FAB75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:31.488{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0F81444BCAE1307BA454E5AA6EB3AC9,SHA256=7DD08508516B5989B873001E1C1747D0B3D2246421B903F06F1ABE6782649041,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:31.269{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21A285407BE6A82EB40A5B7A6EC00936,SHA256=2ADC0D56A8F25A01227BC6A3F77D199622A24D81F5BE0C81AE058771C8EB66BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905455Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:32.955{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3CF21D4870B848B5DC01E8FE722D6E9,SHA256=D27E6075090D331C73EEB92BAA562F856C64AD620CC3DEE304A5E5198A894463,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:32.551{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8310C3DBDA0AD90220CCDE67971E8C71,SHA256=38D847433EC56EB1F541E5CA69C1413FD540F80FEF480AB57BDF4033E02693CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107409076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:39.677{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61647-false10.0.1.12-8000- 23542300x800000000000000055905456Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:33.971{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7113F28AA0AA499D968CAE2BA892F13,SHA256=4ABDAD81836E4F9593D4B65237CFF3391E06978D9ED305B9BA0D4CD4B59A3A0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:33.551{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BD93AACC4070C0B3C5E7387DF638341,SHA256=67B7F3A3B7709BAC46538D1A789328E3B9AF9F9763B5CCBA9701E97173F928BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:34.785{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4774865F20370740AC9F9B9FA356B97A,SHA256=220E66DBE945AB6A28D2824704F36D45FB49FFC2C29BC8AA6425452FD56EE658,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055905457Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:13.608{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62971-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000107409083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:35.926{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A84F18EDBC65BA8012C1F74DCC0271D2,SHA256=531D74B147AD71D819709D2EED1662AE0C8CB9709BC1563D428BDFF33CBA1C5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000107409082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:35.066{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-9799-6185-1500-00000000CC01}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:35.066{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-9799-6185-1500-00000000CC01}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:35.066{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-9799-6185-1500-00000000CC01}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055905458Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:35.018{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEBAD40B4EDC3771C4B6F7C7CF83F8CE,SHA256=BF5BDFF8F0FE4630F467ED0C30390FA3892F33B1CEDD23CF570C9968D266F397,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905459Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:36.033{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA6EC046E38DDED128D13A38A01C1467,SHA256=72E63E38AA162854A5D0104CB6E9FCF4B3D77CC15F6F5C09F408BF16FD09A5E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:37.269{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58E0E11345115F67E1C4703D0395E96E,SHA256=2B281B9D9586558FB66DA801E96CB24831E5981C95FAB0B85D46FB6035A3F690,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:37.269{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA7CE3615E0549A41836C92906245D15,SHA256=9F350A311CAA8E2A11EBFB10771C8E5275F0B918EC639E963C752E5AB9E7AE5F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:37.113{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEF55A61384796E32A061AC8C097625E,SHA256=A0E89EF275FDF51CEAC09002F81E0E6BAE806043D6ADD24F5EB33788718F1EF0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905460Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:37.049{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C797025F6E0E0755068B6B15DBA198E4,SHA256=4C184C7C6983972572237C2CC30AC6C2A175D3308D7793C857901EE535DA2649,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107409088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:45.662{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61648-false10.0.1.12-8000- 23542300x8000000000000000107409087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:38.269{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02396333AFC5746A8FC37207C94DBE26,SHA256=F74ECC1DF04E846449D551C6BAC48A068605C848E17C82DB7C4ECFEA1A378983,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905461Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:38.080{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6699A17145025F6565C20C0DDC30B884,SHA256=7E1F224861EAEC6B4610A2508CD83103A35A5107F8A69D10941E0E9915D2A0AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:39.379{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7626F4D720CBA2D567B4B07683D51ADF,SHA256=1C274F39AC86BBECED79E16368F7FA7B5663FEFB05471EE96871D053C20F3603,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905462Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:39.096{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=238D15AD5D6CD237D44B4B9169070BC1,SHA256=7B5960F6C32D168662B9E44533B95B1E4D7F2090DE05531940C8E637104C306C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:40.598{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E432E5B57EE87E13A1C5099A03904721,SHA256=7DEE414A7C2CE3BC24EA6B3642CEAE17E3F3247EF7C8D17148DC4583F40D2055,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905463Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:40.111{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E67733D3EF0F9830A12FB51B586548F,SHA256=B25A72672D11F9EBF4F540BC8B5489B9F0D82EF54A2A6234017F3198B2DAE7CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:41.629{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F51A6E4A33DEE9F9D875919294C451ED,SHA256=B710B6CE961D77B684BF913C4366B3AAEDCA5B4D7DD0114A430166575BB2A763,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055905465Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:19.607{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62972-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055905464Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:41.143{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=507688341F0728459349859B68C29096,SHA256=BC74B7C6AF792529EB3ABAD87D19AB11E46D878FF775FBC9C3735529B558F817,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:42.769{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA0606CF042EBAC06C45E9E4DE48256C,SHA256=A31025B58503577BCC9F3264E6C79A71DD9861D639D08839ABE3C6396FC3C854,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905466Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:42.158{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EA196BC2AF5745A15E275F9ADF19E58,SHA256=1311707789EDCD7EDC9656F1189A276DB7141EB811A5BB1E649C3190F1E1FFC7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:43.769{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70156258318724453F17A12E3708959C,SHA256=2708426126B0213AFA2A45F1E22F48BCBD63BAF7D477CAFB5249CDDB49836B19,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905467Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:43.236{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FED603B8647E481436914F0E4901E3AD,SHA256=6E066993F781FE16568653C06A1707DBA54AF13C197DBBC9A4E761D39A1C5763,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:43.113{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAA01751F6A8BF1AA5BF274AD5088BF8,SHA256=79C28F9945427B71D5F750FCD08D20F2F126CE9A8F4FB072C8391320984E3605,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:43.113{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58E0E11345115F67E1C4703D0395E96E,SHA256=2B281B9D9586558FB66DA801E96CB24831E5981C95FAB0B85D46FB6035A3F690,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:44.785{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=085D74DF8A81D0F138BE39A28CC6B711,SHA256=E2DF9B8959183D337ACBC02A657CB816F3EEF8985EDCE88CED5E684596E0D993,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905468Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:44.424{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=032A95D349BFC371866777B136638BB7,SHA256=B3686669C980EA911ACDBD837367E13C59F2228387E04B1093A15DEEE96C57AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107409096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:51.631{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61649-false10.0.1.12-8000- 23542300x8000000000000000107409098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:45.801{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABD111A65F0F95AE15D4564BF5CB6FE0,SHA256=DB22E6B7B1A2841B23FBA73B7A256FC3440A04619433C8AC04A1071DFE0BFD64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905469Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:45.440{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B6D64AB8AC5FDD73D6B07B5F0422FE3,SHA256=7351950C6C3E9148598869B22F782705A65B49D68F8A391209621315BA9962DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055905497Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:46.986{B81B27B7-A502-618E-B942-01000000CA01}56641104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905496Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:46.799{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A502-618E-B942-01000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905495Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:46.799{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905494Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:46.799{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905493Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:46.799{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905492Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:46.799{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905491Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:46.799{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905490Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:46.799{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905489Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:46.799{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905488Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:46.799{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905487Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:46.799{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905486Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:46.799{B81B27B7-F665-6183-0500-00000000CA01}4122712C:\Windows\system32\csrss.exe{B81B27B7-A502-618E-B942-01000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055905485Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:46.799{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A502-618E-B942-01000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055905484Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:46.784{B81B27B7-A502-618E-B942-01000000CA01}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055905483Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:46.455{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF2355D85E3940F2D9B05845C56ADDEC,SHA256=F7F15CFC689354E436F63955D8692A254CFA65E946A1B029183F46F6A98A5D59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107409158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.769{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107409157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.769{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107409156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.769{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000107409155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.598{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107409154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.598{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107409153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.598{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107409152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.598{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107409151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.582{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107409150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.582{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107409149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.582{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107409148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.582{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107409147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.566{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000107409146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.566{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107409145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.566{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107409144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.566{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107409143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.566{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107409142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.566{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107409141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.566{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107409140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.566{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107409139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.566{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107409138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.566{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107409137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.566{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107409136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.566{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107409135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.566{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107409134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.566{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107409133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.566{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107409132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.566{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107409131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.566{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107409130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.566{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107409129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.566{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107409128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.566{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107409127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.566{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000107409126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.566{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107409125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.566{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107409124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.566{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107409123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.566{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000107409122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.566{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000107409121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.566{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000107409120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.566{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107409119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.566{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000107409118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.551{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107409117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.551{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107409116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.551{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000107409115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.551{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107409114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.551{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107409113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.551{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000107409112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.551{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107409111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.551{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000107409110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.551{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.551{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107409108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.551{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x8000000000000000107409107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.551{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.551{3BF36828-9797-6185-0500-00000000CC01}420412C:\Windows\system32\csrss.exe{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107409105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.551{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107409104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.520{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000107409103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.519{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.519{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.519{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.519{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:46.519{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A502-618E-5611-01000000CC01}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905482Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:46.111{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A502-618E-B842-01000000CA01}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905481Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:46.111{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905480Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:46.111{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905479Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:46.111{B81B27B7-F665-6183-0500-00000000CA01}412428C:\Windows\system32\csrss.exe{B81B27B7-A502-618E-B842-01000000CA01}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055905478Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:46.111{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905477Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:46.111{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905476Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:46.111{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905475Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:46.111{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905474Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:46.111{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905473Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:46.111{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905472Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:46.111{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905471Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:46.111{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A502-618E-B842-01000000CA01}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055905470Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:46.097{B81B27B7-A502-618E-B842-01000000CA01}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000055905504Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:47.781{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F666-6183-1500-00000000CA01}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905503Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:47.781{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F666-6183-1500-00000000CA01}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905502Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:47.781{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F666-6183-1500-00000000CA01}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055905501Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:47.469{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39E1EC4B994609D5FE0DA3FAFFD5C00A,SHA256=E50098D46C6676B5B38C13C8D3C4A3A00E431E1FA40B9ED185A47C7BAC281D03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107409263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.908{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000107409262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.908{3BF36828-A503-618E-5811-01000000CC01}60605344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107409261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.908{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107409260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.908{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000107409259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.767{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B17C96695400842933B40253884966D7,SHA256=07088F916D0573C46E098C6F93B26B99757BFFE9008A02B8D63FC071111EDE20,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107409258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.736{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107409257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.720{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107409256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.720{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107409255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.720{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107409254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.720{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107409253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.720{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107409252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.720{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107409251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.720{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107409250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.720{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107409249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.720{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107409248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.705{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107409247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.705{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107409246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.705{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107409245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.705{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107409244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.705{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107409243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.705{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107409242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.705{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107409241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.705{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107409240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.705{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107409239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.705{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107409238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.705{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107409237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.705{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107409236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.705{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107409235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.705{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107409234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.705{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107409233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.705{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107409232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.705{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107409231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.705{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107409230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.705{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107409229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.705{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107409228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.705{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107409227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.705{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107409226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.705{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107409225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.705{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107409224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.705{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000107409223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.705{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107409222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.705{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107409221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.705{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107409220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.705{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107409219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.705{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000107409218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.705{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.705{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.705{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.705{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.705{3BF36828-9797-6185-0500-00000000CC01}420536C:\Windows\system32\csrss.exe{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107409213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.705{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107409212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.690{3BF36828-A503-618E-5811-01000000CC01}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107409211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.533{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAA01751F6A8BF1AA5BF274AD5088BF8,SHA256=79C28F9945427B71D5F750FCD08D20F2F126CE9A8F4FB072C8391320984E3605,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107409210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.439{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000107409209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.439{3BF36828-A503-618E-5711-01000000CC01}50242748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107409208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.439{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107409207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.439{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000107409206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.220{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107409205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.220{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107409204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.220{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107409203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.220{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107409202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.220{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107409201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.220{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107409200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.220{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107409199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.220{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107409198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.205{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107409197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.205{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107409196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.205{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107409195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.205{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107409194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.205{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107409193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.205{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107409192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.205{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107409191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.205{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107409190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.205{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107409189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.205{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107409188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.205{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107409187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.205{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107409186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.205{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107409185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.205{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107409184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.205{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107409183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.205{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107409182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.205{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107409181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.205{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107409180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.205{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107409179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.205{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107409178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.205{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107409177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.205{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107409176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.205{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107409175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.205{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107409174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.205{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107409173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.205{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107409172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.205{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000107409171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.189{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107409170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.189{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107409169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.189{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107409168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.189{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107409167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.189{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000107409166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.189{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.189{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.189{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.189{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.189{3BF36828-9797-6185-0500-00000000CC01}420412C:\Windows\system32\csrss.exe{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107409161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.189{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107409160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.178{3BF36828-A503-618E-5711-01000000CC01}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107409159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:47.173{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7015405FCB91AF63F3CC9C1EC5A4264A,SHA256=F3356573D1831540AE79AF615D69D0DFF6071EA3F055645F86298F448EF68A07,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055905500Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:25.623{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62973-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055905499Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:47.125{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2915FD111E7DCC9E86E14C70DAE47E3,SHA256=024EDDCCBF372144BA4CCD1855956E63AB5995DC0D80E2C7FFC9006FF99EC721,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905498Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:47.125{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E71A270AA764B5695097C9099404CE6,SHA256=7F64E2BBB04D1ECB2B23F6A659B5512441F4BE1E5B09C73408150CD2351B9DD0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905505Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:48.484{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A839931239FD48893C611CEE907682A0,SHA256=5E637E8AA8E5158AD2866121EE713FFEB5FE76A49771D67D6E1B17076223B4AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.705{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7516E67305E7B8986195D2D5921AF4E3,SHA256=680EC286E98529782D2B5E94DD8DA83EFB399D909588B407E6D6F86B3B57FC7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107409320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.580{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107409319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.580{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107409318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.580{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000107409317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.548{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.548{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.548{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.548{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.548{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107409312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.408{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107409311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.408{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107409310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.408{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107409309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.408{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107409308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.408{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107409307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.408{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107409306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.408{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107409305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.408{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107409304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.392{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107409303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.392{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107409302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.392{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107409301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.392{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107409300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.392{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107409299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.392{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107409298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.392{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107409297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.392{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107409296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.392{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107409295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.392{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107409294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.392{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107409293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.392{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107409292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.392{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107409291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.392{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107409290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.392{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107409289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.392{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107409288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.392{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107409287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.392{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107409286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.392{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107409285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.392{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107409284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.392{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107409283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.392{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107409282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.392{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107409281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.392{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107409280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.392{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107409279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.392{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107409278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.392{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000107409277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.392{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 23542300x8000000000000000107409276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.392{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC294749704840A15A1DEA56F31BD681,SHA256=F76CFCA41F5E53E109531C8AA3F48F9ECAB6DCCE2871D4DBDCC6C81B23663914,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000107409275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.392{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107409274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.392{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107409273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.392{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107409272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.392{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107409271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.392{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x8000000000000000107409270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.392{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.392{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.392{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.392{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.392{3BF36828-9797-6185-0500-00000000CC01}420412C:\Windows\system32\csrss.exe{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107409265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.392{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107409264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:48.377{3BF36828-A504-618E-5911-01000000CC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055905506Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:49.500{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB879DE8E3E5B57E54DF4E1EC83DC024,SHA256=5EBBE69A71BA0544551F5F3C4AF979CCA2B4F5801D6AA70F31B62F382DE1D049,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107409423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.798{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107409422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.798{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107409421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.798{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107409420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.783{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107409419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.783{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107409418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.783{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107409417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.783{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107409416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.783{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107409415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.783{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107409414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.783{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107409413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.783{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107409412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.783{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107409411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.783{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107409410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.783{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107409409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.783{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107409408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.783{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107409407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.783{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107409406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.783{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107409405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.783{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107409404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.783{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107409403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.783{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107409402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.783{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107409401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.783{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107409400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.783{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000107409399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.767{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107409398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.767{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107409397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.767{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107409396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.767{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107409395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.767{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107409394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.767{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107409393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.767{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107409392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.767{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107409391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.767{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107409390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.767{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107409389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.767{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107409388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.767{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000107409387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.767{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107409386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.767{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107409385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.767{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107409384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.767{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107409383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.767{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x8000000000000000107409382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.767{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.767{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.767{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.767{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.767{3BF36828-9797-6185-0500-00000000CC01}420436C:\Windows\system32\csrss.exe{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107409377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.767{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107409376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.752{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107409375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.470{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B218201777908113FDCB79B6B96856E7,SHA256=88C2874C42A2994C78C70C27413775DB2C2BD7C7CBC62CD9C6E58826C7031F39,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107409374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.236{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000107409373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.236{3BF36828-A505-618E-5A11-01000000CC01}44885448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107409372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.236{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107409371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.236{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000107409370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.111{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DE6DCA84B83B33D8618034985D12B81,SHA256=C114BCE21E968C294199B7142A9A3519B06E0C0C4A3F1E68A0969CC96E951E1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107409369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.095{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107409368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.095{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107409367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.095{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107409366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.095{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107409365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.095{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107409364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.095{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107409363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.095{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107409362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.095{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107409361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.080{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107409360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.080{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107409359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.080{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107409358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.080{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107409357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.080{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107409356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.080{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107409355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.080{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107409354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.080{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107409353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.080{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107409352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.080{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107409351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.080{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107409350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.080{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107409349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.080{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107409348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.080{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107409347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.080{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107409346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.080{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107409345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.080{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107409344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.080{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107409343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.080{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107409342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.080{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107409341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.080{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107409340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.080{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107409339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.080{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000107409338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.080{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000107409337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.080{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107409336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.080{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107409335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.080{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107409334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.080{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 10341000x8000000000000000107409333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.080{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107409332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.080{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107409331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.080{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107409330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.080{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000107409329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.080{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107409328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.080{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x8000000000000000107409327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.080{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.080{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.080{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.080{3BF36828-9797-6185-0500-00000000CC01}420536C:\Windows\system32\csrss.exe{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107409323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.080{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107409322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:49.065{3BF36828-A505-618E-5A11-01000000CC01}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107409481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.754{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52A8860B9670CC1624141ECAA9D5B622,SHA256=3106A71AF5F741BBE3544C90900AAA55A7415BF33A1E2CFFD7FE8BAFD8D5956D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.598{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5FE1FA4F03429F0743BEF63F24B4657,SHA256=3EAA3D565DBBBBA60B08AC22FE267E1E652782B035D15E53345DD98C9F95D8AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107409479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:57.488{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61650-false10.0.1.12-8000- 734700x8000000000000000107409478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.520{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107409477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.520{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107409476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.520{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000055905507Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:50.515{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E85252028C0D5D2FD5090279CEDB7B5B,SHA256=7B8CABDFAC2230D4354F97FCBFDC09F61F4D1D7450DE7F98221A08DF85697BD0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107409475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.316{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107409474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.316{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107409473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.316{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107409472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.316{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107409471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.316{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107409470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.316{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107409469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.316{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107409468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.301{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107409467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.301{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107409466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.301{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107409465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.301{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107409464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.285{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x8000000000000000107409463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.285{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107409462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.285{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107409461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.285{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107409460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.285{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107409459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.285{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107409458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.285{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107409457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.285{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107409456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.285{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107409455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.285{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107409454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.285{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107409453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.285{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107409452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.285{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107409451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.285{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107409450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.285{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107409449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.285{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107409448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.285{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107409447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.285{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107409446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.285{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107409445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.285{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107409444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.285{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000107409443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.285{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107409442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.285{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107409441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.285{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107409440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.285{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000107409439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.269{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107409438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.269{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107409437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.269{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107409436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.269{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107409435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.269{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x8000000000000000107409434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.269{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.269{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.269{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.269{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.269{3BF36828-9797-6185-0500-00000000CC01}420436C:\Windows\system32\csrss.exe{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107409429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.269{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107409428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.255{3BF36828-A506-618E-5C11-01000000CC01}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107409427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.127{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C27601A09F9F7A9AC3B127BB56649E5,SHA256=56C3197B5088ABF21C87D162B11313D9548B157580BE0CC7F49EFBA1A8CEB71F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000107409426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.033{3BF36828-A505-618E-5B11-01000000CC01}2132648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107409425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.033{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107409424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:50.033{3BF36828-A505-618E-5B11-01000000CC01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000107409483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:51.626{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50263A124CFDAF1E0F57FFF6126F49D5,SHA256=03F7387C25A7908687723631B75B6C18F2BEF027705EFFD18C728D7C5780E44D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905508Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:51.531{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1B9B8DC7D9C8335EF11415600C2AB42,SHA256=B70328D2D85026C6247ACC4906DD93BB1639CBD4BECB956B3F5F178D297A73B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:51.298{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1772A95B22E8B203F02E4736BBF2FE6F,SHA256=B98779CDED517A290838B7097F8DDA578853110CF2614B1AC74D5A598048837E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:52.663{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4DDC26A6A86E58D7CB123B360DA78FB,SHA256=9EB865DA6F3D76A6E9B55D20738D7057EE93D37E49343886CA2EA305567A9691,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905510Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:52.547{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D265643367431A853A0E1A0DEB9D4ABA,SHA256=1B35C0E0E84DF401B747996878CD58EAB5CEB97528ECE3C0775F42FA61DFF565,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055905509Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:30.761{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62974-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000107409485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:53.678{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CCC7BE956D767372ACFFF434EBB073F,SHA256=B6421D4EC967F9A54E14827C9101D45E151E5DE9EF06896B80E7E0EBBE4B1628,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905511Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:53.562{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=667BBFDAB2694A9CE1197B0E779A0272,SHA256=3173C629F613AE86EDC3098C1334637D3EA585E29B9D0A235EAF251BA46048EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:54.897{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C561D71EF6EA93EEF16B274D3C2F475,SHA256=34B99ED5F4331DB42B9FD3503EFDC22BE035C18946F25C90C34FE4708A3B0A96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905512Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:54.594{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF6A139298A1D85F8A296398726C276E,SHA256=59F47A3C22CCE69CB8C1CA1C342D3BC4D200D296CCD4BF13C536E0FD7DF6D6FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:54.241{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB98F951FB2975E803B9D27CB58ED12E,SHA256=D0A3FEF054F14FBE944BFAE3DF8666ECF02003306FD81DD4C86BA63D8D5FFB0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905513Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:55.672{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7369FF1425CB465522652663D508242,SHA256=DFD65F4A9CA35AD6933507D35E5BD06829D5A4A2433A29EBD9E23BF541E2AF65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:55.928{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76C6422A533B0C02D824911D5534177F,SHA256=B691F400ED5169071D42B7F9CCF4690EF37F774FF9F6D145EBF5C3B6285314D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107409488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:02.649{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61651-false10.0.1.12-8000- 23542300x8000000000000000107409490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:56.944{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B7922031BD05B510B21C26C2A867EDC,SHA256=52396C221FFA2F40EDC96023DF0DDAB6639550CD421EE005BCE5D1DD355FCEC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905528Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:56.812{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FC4CC5F890FB87D2434398F1C536BE5,SHA256=2450A8DFE72830EE6F929F12B30288331F8961B2CEB740915238DF93EB624677,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055905527Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:56.609{B81B27B7-A50C-618E-BA42-01000000CA01}41003140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905526Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:56.390{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A50C-618E-BA42-01000000CA01}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905525Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:56.390{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905524Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:56.390{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905523Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:56.390{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905522Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:56.390{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905521Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:56.390{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905520Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:56.390{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905519Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:56.390{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905518Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:56.390{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905517Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:56.390{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905516Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:56.390{B81B27B7-F665-6183-0500-00000000CA01}412428C:\Windows\system32\csrss.exe{B81B27B7-A50C-618E-BA42-01000000CA01}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055905515Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:56.390{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A50C-618E-BA42-01000000CA01}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055905514Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:56.376{B81B27B7-A50C-618E-BA42-01000000CA01}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107409491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:57.944{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD2D11397B426046B733523E30DCC2B2,SHA256=BC4F3C5C2D54EE5790E6DE075E1AF5D5E6C28F9F54B25FE93A47EF532ADFD23F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905543Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:57.390{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B95E641CD5C1C4969703AFDC2AE03D6,SHA256=175B1DCF0E95929025B4AF5207F165A720446D88E0D9A47D569697E5B1CDAA82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905542Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:57.390{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2915FD111E7DCC9E86E14C70DAE47E3,SHA256=024EDDCCBF372144BA4CCD1855956E63AB5995DC0D80E2C7FFC9006FF99EC721,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055905541Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:57.078{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A50D-618E-BB42-01000000CA01}4968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905540Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:57.078{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905539Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:57.078{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905538Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:57.078{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905537Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:57.078{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905536Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:57.078{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905535Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:57.078{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905534Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:57.078{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905533Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:57.078{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905532Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:57.078{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905531Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:57.078{B81B27B7-F665-6183-0500-00000000CA01}412428C:\Windows\system32\csrss.exe{B81B27B7-A50D-618E-BB42-01000000CA01}4968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055905530Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:57.078{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A50D-618E-BB42-01000000CA01}4968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055905529Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:57.063{B81B27B7-A50D-618E-BB42-01000000CA01}4968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107409492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:31:58.944{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC23D1011464448DB86C9455A86487EE,SHA256=2FDF528960873F32BE423F7979D70514017EADCE71FC72C00C9EFCA815347FA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055905545Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:36.714{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62975-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055905544Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:58.031{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90B77BF2593400400C1243637B15D41B,SHA256=D289DEB14194C93DCEBD18D16A9C096B5BFF15D3E4859ED1C1CEE0CF5A86ADA2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905546Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:59.156{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96921E7A301186F081109EDF79965AED,SHA256=BCA2762243CF0F4F8CA71BC98B615AD54C1022C2D7DBACE065709A5C81FA8E00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055905576Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:00.953{B81B27B7-A510-618E-BD42-01000000CA01}27322104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905575Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:00.719{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A510-618E-BD42-01000000CA01}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905574Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:00.719{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905573Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:00.719{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905572Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:00.719{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905571Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:00.719{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905570Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:00.719{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905569Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:00.719{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905568Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:00.719{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905567Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:00.719{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905566Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:00.719{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905565Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:00.719{B81B27B7-F665-6183-0500-00000000CA01}412532C:\Windows\system32\csrss.exe{B81B27B7-A510-618E-BD42-01000000CA01}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055905564Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:00.719{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A510-618E-BD42-01000000CA01}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055905563Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:00.704{B81B27B7-A510-618E-BD42-01000000CA01}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000055905562Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:00.453{B81B27B7-A510-618E-BC42-01000000CA01}52202056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055905561Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:00.234{B81B27B7-F666-6183-1100-00000000CA01}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3859FE3D75B83D31B6F76B29116AF718,SHA256=94CA37F974996FDE9F8D8DE2A275435742E2FCB465869D124FA0881D4BF79D95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905560Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:00.187{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C209C91E6674D9E3874A11CB2941A05,SHA256=5CD3E97A535E54618953623FD2A628935C61654BECD648F634B4E998EB6B2DF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107409496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:08.446{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61652-false10.0.1.12-8000- 23542300x8000000000000000107409495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:00.163{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E9A95A23C658BED4E5CA3A90183FA99,SHA256=F4EB91A6A8E589C7B2641B066B0289E2AF25E672DE48D774595AFFC69A86C30D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055905559Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:00.109{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A510-618E-BC42-01000000CA01}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905558Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:00.094{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905557Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:00.094{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905556Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:00.094{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905555Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:00.094{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905554Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:00.094{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905553Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:00.094{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905552Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:00.094{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905551Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:00.094{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905550Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:00.094{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905549Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:00.094{B81B27B7-F665-6183-0500-00000000CA01}412532C:\Windows\system32\csrss.exe{B81B27B7-A510-618E-BC42-01000000CA01}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055905548Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:00.094{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A510-618E-BC42-01000000CA01}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055905547Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:00.079{B81B27B7-A510-618E-BC42-01000000CA01}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107409494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:00.038{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B754BA1152015B5A973E14C48291E3D1,SHA256=802507AA6EBA398F71B571011B69D4CFC80793F7966792973A88C97096FB4E65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:00.038{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88DD0D3F3E54379F547F88BE1D5D0F5F,SHA256=6B80CA1580C6693CD371705B9C5F49AA953F68AB3EFAB7793F4323867E78A50E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055905591Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:01.406{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A511-618E-BE42-01000000CA01}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905590Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:01.406{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905589Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:01.406{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905588Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:01.406{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905587Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:01.406{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905586Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:01.406{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905585Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:01.406{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905584Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:01.406{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905583Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:01.406{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905582Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:01.406{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905581Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:01.406{B81B27B7-F665-6183-0500-00000000CA01}412428C:\Windows\system32\csrss.exe{B81B27B7-A511-618E-BE42-01000000CA01}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055905580Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:01.406{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A511-618E-BE42-01000000CA01}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055905579Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:01.391{B81B27B7-A511-618E-BE42-01000000CA01}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055905578Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:01.219{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DE3A4A0C6853816E64490DF491AF1F8,SHA256=A2B5079D9B7F9E33A6E3154C000DE03598851E4961634DBE281F6E63CDB59806,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:01.209{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACE600F9C106D82921DB7EA556CEEB0F,SHA256=A2265E51D39C4EFAB22765537464779DB20A9B379393055186D6B52845E3F892,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905577Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:01.125{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B95E641CD5C1C4969703AFDC2AE03D6,SHA256=175B1DCF0E95929025B4AF5207F165A720446D88E0D9A47D569697E5B1CDAA82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:02.694{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B754BA1152015B5A973E14C48291E3D1,SHA256=802507AA6EBA398F71B571011B69D4CFC80793F7966792973A88C97096FB4E65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:02.444{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB42336998283351FC45DEEA793400ED,SHA256=F07A9C253DE517C1D9C87FD2240094BD9D3BA6DA482CD36EFB62548C626E8851,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905593Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:02.406{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1103426614C2D27ACFD6B01F2C34C5A,SHA256=D2F03C444445FEFFFE172C5F4334FE8BA9C3E080D35DCA738BFED0F2BE389EA6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905592Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:02.250{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD1B7F90666CBA5B9A4F746D5BED9DF4,SHA256=CFFF00467BDA1052CFA6329ADC24A142A8FB90B48629424A304F895A1962F606,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107409506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:11.091{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61655-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x8000000000000000107409505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:11.091{3BF36828-9799-6185-1600-00000000CC01}1272C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61655-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x8000000000000000107409504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:11.091{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61654-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local49666- 354300x8000000000000000107409503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:11.091{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61654-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local49666- 354300x8000000000000000107409502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:11.089{3BF36828-9799-6185-0D00-00000000CC01}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61653-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local135epmap 354300x8000000000000000107409501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:11.089{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61653-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local135epmap 23542300x8000000000000000107409500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:03.491{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=333B45874FB652694720EC90A32E12AE,SHA256=375D6ABA9D475958886BA41D7B89E472FB0099325E6D8C83AF2C3086296A726F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055905595Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:42.651{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62976-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055905594Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:03.265{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C532A76996B46F3D98FDC09E678990F,SHA256=BCCCA1B2D21D7AABFA9964B36E28AE34779C4A95ACE0695D4D08312187E27267,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107409509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:11.101{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-128.attackrange.local61656-false10.0.1.14win-dc-128.attackrange.local389ldap 354300x8000000000000000107409508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:11.100{3BF36828-9799-6185-1600-00000000CC01}1272C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61656-false10.0.1.14win-dc-128.attackrange.local389ldap 23542300x8000000000000000107409507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:04.522{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6502F3B52EBD8D253C178BB4CC108948,SHA256=F5EE53FD2CA5821792CB4C95FB99A4CBD63D5689EA516938E2B0101C55936CF1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905596Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:04.297{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36EF972EF1670EF4E72FEEBA7712764F,SHA256=7B18A2CC711BDA48B11C201C467DECC00D576056D9504E543450C4FF182B5BB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:05.522{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04F964955F3A9DDDFA006DC4FED04667,SHA256=C8C9EFDAD48B799E22371928A917E8A0D879EF292D98D22A939FACB5748664B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905597Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:05.328{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F54095201B0A4ECD4B40BC1E52C57F07,SHA256=28A98BBA6A9D279FD6C4478C54526D1FF430DE40B37F102D7C765FC84F07DA73,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:05.256{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7270378FD0DD132DE8798830551D497A,SHA256=11EAEE3F1B7B6305A441F1A271810ACDDBCC6F37AB36E3CB989F3A2B526BA890,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905598Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:06.359{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDAE8D52EBFDABCCEAC894AE9630307F,SHA256=416DE729B92EBA38D640EEFD447E029F67A043E3EF6C16C6A2F5BB0DD4A60D66,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107409514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:13.446{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61657-false10.0.1.12-8000- 23542300x8000000000000000107409513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:06.631{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B78B04C01BBD85A6B8CBCEF94E5C7C7,SHA256=99885051F150B2DDC0FA419CD768A6D6B5A76F4DD3AF2C28A396AECD156F62F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:06.272{3BF36828-989D-6185-BF00-00000000CC01}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107409518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:15.478{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61658-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000107409517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:15.478{3BF36828-97A9-6185-2800-00000000CC01}2876C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61658-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x8000000000000000107409516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:07.650{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDF5701E44C4DF1A665BDCFFD7636619,SHA256=FC21A39DD73DC21B2C4DA103459899AD473059C94AE9559E74FBF4242A1FF932,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905599Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:07.383{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE9098A0570BD1C2DA0A029F3C5B618A,SHA256=7B079162FC6C465C3A2B168351F7B33E06765AF21E8F50C01074B5438A266505,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:07.291{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F113DC25D528553B8AD8C90DD4D2A6B,SHA256=1A87DF41B974A2F4C875F81338D15881444ABE9F3B2F175CD980225FB6433D1D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:08.869{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=492B373702932504595D6C500CA15642,SHA256=C3A970324D905D1BC7DFDA19701CF9452C32A70B80AF786CC5766312CF2EF97F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905600Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:08.414{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=517ED5A5944A643996D41E3D8D63EC4A,SHA256=B738C5598D44F037A1778439AB7CEF75FA2E75B349146988B7FCE4DB68F9403E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107409519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:15.683{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61659-false10.0.1.12-8089- 23542300x8000000000000000107409521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:09.869{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC140400B6B9B7DE916FCA9596EC711A,SHA256=51644A1E4FBB24611F17EA1E051704F5EE76F04B074C0BFDCCBA1F6B713DFF96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905601Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:09.430{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C344693E52FA6E4E6C1CEF9136E828,SHA256=E6AAE2912E37325BD61C813CCB8F1BBB97C296DF76206AE2CFAF4D1D21B5FD86,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:10.869{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=555E5673AF619CDE2CE225CB9FD8F0CD,SHA256=ED0B959527CB4019CE3F1AEF37F63DF76656C9BF3816A639669150E961923B7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107409523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:18.653{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61660-false10.0.1.12-8000- 23542300x800000000000000055905603Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:10.461{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C24B9EF404120AB32C37AFE939BE906F,SHA256=5FF559FC2B4E0363D9FBFF8BBF4BB52A59879F011513D8C0BAE8FC94D1A95129,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:10.228{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E2950E0B6C54A68AC69A54267A058EA,SHA256=92A396DEC0DBB98A9B465E5C03A534FB944787B22A424150793D7F444F3552A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055905602Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:48.596{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62977-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000107409525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:11.869{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58ED14E4B6D5B40515ED5E945B3D918C,SHA256=41C0CA0F90E63A198B075196FDFAF3CAE693FBBEEE0D6178869BBC98E9CA8E8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905604Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:11.476{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F70B585B838D038C152E936237981814,SHA256=6F68BB67D606B6D7034F650A852093A903E427C380F936010F98F155F679ED5F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:12.884{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E344938131112AB4BD48205B02BF7E0B,SHA256=BD902259A0066130B1D9B7BE2BF754A90A303F4AD51521CF4B6B16D5F3221F24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905605Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:12.508{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E3CB370B4E840AEFDBE8CD7A5DF6407,SHA256=DD3B1B36E6420D5E10248F62B86B8C31237EAC6E346B0A887ECF23D873096818,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905606Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:13.523{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C4ED05EC2E7819814323DC5376FBB68,SHA256=09D734C649552CF354176CDDCBBABF2D75269E1EC2AD1391DCBB65F7717D5034,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905608Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:14.539{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73FA4F2D4E354C55D21458E9615C9428,SHA256=9EB6352E097466FDC5BA4A16E0DEAC83D43C512DFAE89AB23F056D3AE0CBE1BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:14.056{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B944E60F58C5B8CA058005CF25A3BB96,SHA256=BF25EA56A7C0F36C3DB457955DC4A3D80D452727F5588411DC121B852A5EEB64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055905607Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:53.596{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62978-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055905609Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:15.601{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C64844998B4001E23727FA646501F9C,SHA256=1DAFB00876025914BB948AF920ED82E5797817F73E647997841C9424222AB988,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:15.072{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2397FBC915E08501137F77752A0A088,SHA256=EA6E4CF7E8AC375F3876BE706C10212B766F70A222A9DC50BCCEEC0578F8DE8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905610Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:16.633{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47DC23CDE42FB0381F7A3981805CE493,SHA256=D92C249622009A14D9FEE2E9ABC7B0CBAFB18F717F6F6A7C01FCCC5F5DF7C987,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107409532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:24.485{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61661-false10.0.1.12-8000- 23542300x8000000000000000107409531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:16.103{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B26425FA3902A79DAFDB56506200EAA1,SHA256=A4E29595D659B895EC6B55834BE32F0A57718FBFFCC8776CA785E6D039E4BE25,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:16.103{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3ACD7810325758C912C0D38CF50AAF1D,SHA256=8AE328701A2C72211C0553739423BBC638CCE85C371800EA102C647758A940C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:16.072{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=129269535848AE8592D765858E4DCC86,SHA256=F4D3EB28F444A0F472BC5BB09ADF6768A7422D46852970C79C0F530781AA5B67,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905611Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:17.634{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEED31258E216D4F27CDA7C5C5CA1F77,SHA256=625FBEAA3E96DDD09F905F58C30B337F960DC17A842E3D61C6324D2DC2D2DF67,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:17.103{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3347DD219BBF809FC3549C47F8B7DBC,SHA256=F7870C24C4C4CAF2741C323F31149A41B93D1980C66F9D828F59C9AF0E8DBFB7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905612Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:18.677{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C318624F497FB7FCD1134E1938480F36,SHA256=7BEFBB1CA08F84F3F86012E25DEEFEEC350A2B4DFF93FB485170B0FA94E8532F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:18.103{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C503616D1F3D6EB431FC1F61377A1B44,SHA256=E9CF630464863A481DD1F44EC97496DC3BF6B455908C7B426605D4E1626EBF98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905613Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:19.681{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21E40DD9AC29278B63ACEB758DC3553B,SHA256=9C00FA0AFD9FF5F1BAB8396ED5B4BA7C7DACC76C17826F9D1DA56814836E465D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:19.213{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF637903E7C1BD49E6CEA359CCA519EB,SHA256=37F46E1F9DE6677BEE42E5F2B7C26FA1B3DAB3F7D43D56C040915A53B00CC660,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905615Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:20.727{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEAC48201F68B44BADC16665622434F0,SHA256=4E75A921F269409AE3E2B39C9296084CA4C467E64A3FF89EC72A0891E86D7CA8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:20.681{3BF36828-9799-6185-1100-00000000CC01}424NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=3BCE27F8E5B4FEB7FE4E052622C95846,SHA256=A824854859C341842B88C91352630E32748E97CE4746B55014B9D930A5CEA123,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:20.213{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60E8137C31AE6D0F34570B5E659E1327,SHA256=529203A4DB52428FA70FB68D15DD7FC231E11C529890B79060D285C3A2BA7A66,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055905614Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:31:59.642{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62979-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055905616Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:21.743{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=699E9082EBA3AFF0E474803F9D40FA0C,SHA256=4F72E4296D27EF59062321BBE7B81903962B2B779D3A8F5EEEE3D8BE1E771FA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107409541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:29.621{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61662-false10.0.1.12-8000- 23542300x8000000000000000107409540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:21.213{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A94CFE189A43A47610B49BB0220F271,SHA256=540F0867E5CD288A834EB7524BF5991F28F6ACFD7D95BF27ADE781423BC5D340,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:21.213{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB6A363C01F872F6714FB212EACF7FD4,SHA256=6612ECE841507C8145A2BD7EA28BB55C78E5B47C9057CEDAF7A2A7796DB38A96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:21.213{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B26425FA3902A79DAFDB56506200EAA1,SHA256=A4E29595D659B895EC6B55834BE32F0A57718FBFFCC8776CA785E6D039E4BE25,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905617Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:22.774{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C2160D25B424BB58D7859625E7B34EC,SHA256=249C55A0F8B67BDD792FF9387A4BF2FBB7AE9A0FBE31341AC389D2DAC986AD61,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000107409569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:22.588{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:22.588{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:22.588{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:22.588{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:22.588{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:22.588{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:22.588{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:22.588{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:22.588{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:22.588{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:22.588{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:22.588{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:22.588{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:22.588{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:22.588{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:22.588{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:22.588{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:22.588{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:22.588{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:22.588{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:22.588{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:22.588{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:22.588{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:22.588{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:22.588{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:22.588{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:22.588{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107409542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:22.447{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AE948DB46EDE58B16BBDFC7E66279A0,SHA256=B955E681C50994102A9455A60073779DA79A215B9B86A8C346021AFEF2325452,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905618Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:23.806{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47999EBA0BEC9B6EA1A1360EA3A1DBCC,SHA256=01B9345C7A653EE964C9994E59817D29E68BF245F99F400A0B6DD76D28F9272A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:23.635{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=592AAC72DCA997FE2528C7FFCF62CD50,SHA256=CA88E4A961FE1EC9D97DCC967DD9FF5454CFC86C65BF21D93091E453910981C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:23.150{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A94CFE189A43A47610B49BB0220F271,SHA256=540F0867E5CD288A834EB7524BF5991F28F6ACFD7D95BF27ADE781423BC5D340,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905619Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:24.837{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45B7B3B9B26B9C7269E1537976661AC0,SHA256=20F0A84B1199A3B224DFDC699F75AE810288985A696D53E89453EB306A7A020D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:24.650{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC1632458F48C17DF281D1B239EE65D4,SHA256=448E2911AFB0F156DBA7EBF59521FB3F27D1446B0DBF1DF8B9B8C556D0CEFA8B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905622Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:25.852{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF571FBB4B599D1D08BCAC736C7DF2AA,SHA256=9FA0AFAE3E072748375D3E2FCCD4FF2C41BAE7A5039CA83F0F6FD353D21A8148,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:25.650{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E6A42E66443B64B82305756D0D2AEFD,SHA256=88DA659BD9F25C96F1DC19A056D9511CD502C02C8AEAE4F004DE6F75AB679F6C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055905621Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:04.644{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62980-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055905620Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:25.009{B81B27B7-F667-6183-2200-00000000CA01}1748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905624Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:26.899{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFC0244AF1D984EDE404619ACCA41EB7,SHA256=D4AA6D657DCB78DB40C8DE20DAAE453B0302A26C1FB43D575D679FCA43BF64F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:26.681{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DBC003A57000A8A80F00863475D55E1,SHA256=6FC13D7B31B0E4B4B43DCEFF64EDFD3522DBF30438C9B3A8A425F3ECFEB21E20,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055905623Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:05.503{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62981-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000055905625Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:27.950{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89CD82EFDC8EB688D2FFB83B2AAB2E3E,SHA256=7741F8283FB2AF88FB10A677D91F2FFBD5F6C056C97F44ABDE4A2E02D05592D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107409577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:35.591{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61663-false10.0.1.12-8000- 23542300x8000000000000000107409576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:27.733{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9202F05E0BC50037AA667C806C353892,SHA256=F517E1AC93F1EEF36F88728F97A496EEA068AD3F916BC35EA382CC98EB4CAFEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:27.405{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A94FA2C97F3CC9745CB99734C97A1D6F,SHA256=0770DE4065FF4F468D26E45AA1974CB994F8D61282A2F5161A286CDF3088C029,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905626Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:28.966{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C85CA31B34E5725B611F94DBA6764B85,SHA256=CA9F4ACD9CBC1B8FBAD4F951FE8903188B1C7C9A70BC34728C6536A437293E82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:28.780{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=039F1FA67EF86D13E4070077010A9323,SHA256=1A2AFF650F73A901C718516440DCAC08AF560CF1FB325B3C5B56240FDFD4673F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:29.874{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA23A44F04B6FDC433DFFDBFB2E05B6A,SHA256=88CA5D9E1C8F2CD62B3562A042D12328CF4CB664E2590F83C039791A3DC9D72C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055905655Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:29.403{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905654Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:29.403{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905653Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:29.403{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905652Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:29.403{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905651Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:29.403{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905650Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:29.403{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905649Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:29.403{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905648Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:29.403{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905647Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:29.403{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905646Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:29.403{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905645Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:29.403{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905644Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:29.403{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905643Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:29.403{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905642Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:29.403{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905641Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:29.403{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905640Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:29.403{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905639Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:29.403{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905638Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:29.403{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905637Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:29.403{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905636Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:29.403{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905635Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:29.403{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905634Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:29.403{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905633Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:29.403{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905632Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:29.403{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905631Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:29.403{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905630Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:29.403{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905629Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:29.403{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-C63B-618A-82CE-00000000CA01}5504C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905628Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:29.403{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-C63B-618A-82CE-00000000CA01}5504C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905627Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:29.403{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-C63B-618A-82CE-00000000CA01}5504C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107409580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:30.874{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB641A57CDB0C39DE462AF5C59392150,SHA256=A7C8F72072CB2FE1751F53048F21D4FC180FD37F8616A06C779E2CAD86A83B84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905656Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:30.247{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=702692D1C9C2404D6E2F7847F9E4B9BE,SHA256=5D5160283FBE692712A8203EF4B6CC7A8A8DDDDEE6A7E1D751BBCBBE440AE21F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055905658Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:09.726{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62982-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055905657Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:31.278{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAEF4B4C86903AEBAFA3C17FA765C2ED,SHA256=916A46E21660FE4504CC59A974F5B19D97C0F2436E7A332264E4671A3C3A6E2C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905659Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:32.294{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3129D5226A9983303A77C5F5A3DE059,SHA256=2B689C07FAD8DC5779C3BD8A0E549DBA904204ADB0E651CE800E724911326A03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:32.061{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A13CD1FD9315818B9F48ABAA255C172,SHA256=2CB99EEAA385C1348F7F4DDEE66AD686E79D112659F3270C5B38D98C5F93ED82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905660Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:33.309{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD917546DBA52B3F38D49843388FA893,SHA256=AC7B2E92DF56C815B78B08EF5DDCD1A22BBDC6ABA94EEC6CAF34D0D892A3D607,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:33.061{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D05749B28369E64F9406B8B1A01FC4D3,SHA256=7E3DE02492C9765DFF246841B513018FCDB097D4590321672EDF5CB5E73C5364,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:33.046{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD8252BFB5448FEA2A5BE37C88F16402,SHA256=C71A341D65D2834252B33D10D57F203937FFB7359D4426410C536A047D3FBE81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:33.046{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FD9DEF279A48FCF797886E651F764B4,SHA256=885BC508583CF08C20F0743B865D25C59078F72406D65E91A5B69598B0B4BBF6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905661Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:34.544{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AC456F766D5FA034BA8D1BAA4DD47B2,SHA256=1C600F2BDE52C698AC8693496B3EB1FD935EB945AAC4BAB7CCE05A2B2783EAAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107409586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:41.471{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61664-false10.0.1.12-8000- 23542300x8000000000000000107409585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:34.077{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69607DCBEA0C03139E6173067A8B016F,SHA256=957F0CC78ACFB76844D0875427CEDAC512A4381175021CACD6D5CDBCD3D4C1D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905662Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:35.575{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=241A88DCB2A1806B5CC6188F5D0345CD,SHA256=1E4659C6F05E008BDB5EF364A66D282410249EAE2E7ED22BEEF3F72940256FC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:35.077{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFEE42F93E94E106E111750BD116C12F,SHA256=689052A861A26DFA7742DE967144EB0FEDD6D01C69F377EA398529CBFDAF7CBC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055905664Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:15.757{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62983-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055905663Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:36.669{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B282FF3BDE0102ACE5E51946BF33443,SHA256=58FF45D502DFD54B9F3ABD3BA3FE056871891AE690FC197CDA115FE9538831A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:36.249{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9475A421E8A9318A905805BD1111D931,SHA256=ED5483E9CECB04ECBA56B2725BC2475306E21F26FA4B907D3AD9AB06138F6121,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905665Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:37.700{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97AA36CE4D9F6D9B3CE90103DCF95ED0,SHA256=2A9F850090B465896897C7F8F6A2392D4DA64E8131C84BB63E06D67D7000F228,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:37.249{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0791D19FEC38AC8D2EA1FCED01E4B683,SHA256=4FCB61ACC8F44BA458D8BED17895F735D5F633B7708F832D23087ECCB024D8BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905666Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:38.731{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12044E3E74D5606750CD3A2494C21B63,SHA256=E5FB6CD8AD85D885AE4E523886BB0152F6573DDC42356E060EC3F3897F9DD4A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:38.483{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D65C5D2ADA6BB21D0FBF062C9950ACC,SHA256=E463F1159F0EE186A12FFDD8A6F8D81CF45B8A2B3257D6F99441A2326EEDD6C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:38.139{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8FF1A20BD61AAF677A0428FD4AEC936,SHA256=DC72E3AE63BD4D4CDD9EFBE3AB572E088F5E8D0BFDD1E517B0AFDFA61C9FB841,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:38.139{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD8252BFB5448FEA2A5BE37C88F16402,SHA256=C71A341D65D2834252B33D10D57F203937FFB7359D4426410C536A047D3FBE81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905667Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:39.731{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79DE52623EDB33ECDBFBAA8006BE8405,SHA256=D45F82CA057BFC8AC3A5F8FF80E13E7A713F8CCDA9A91739B8D455CA0ABCC862,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:39.624{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EBC5CF44EEF1251BC31C5EF192416B7,SHA256=C09660903FD9B86195AAE3835112E11846148A1CDEE93B804FA0BA974F458D8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107409593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.548{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61665-false10.0.1.12-8000- 23542300x800000000000000055905668Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:40.778{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7509D324EB510D3708803F59A8FFA5E8,SHA256=99B572F1774977B22CA5130EA015C14C0886951513EF31B03EFBA7C5A7B64497,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:40.624{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F6ADC696F281956BB6389B737743B84,SHA256=4F1AE2F7F8165A693E57741D5D8ECF86BD6945EFA4133A4B97CBA1D654C05191,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905669Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:41.794{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6120733EEB0AF9795FABC3DDA5FFDC65,SHA256=18568E5BF0D7EE1FD3114D3FAB4E5D3C78C0947D296DD35F45FADDE77C2F8A85,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:41.624{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5504ADA9DFCE1BCC666F01537EBC8EB0,SHA256=8EB1A465BC0DC78B7FB63BC4409268ECE2334B62D52A03C740CBFAAFA0719FB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905670Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:42.841{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA21DB6DC44D9A3B5401031E8B606895,SHA256=7CC023486B7E3E5472206588936CE99EB1659F7C17BDC2403D08193C90B1566E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:42.624{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51B66DF6FFBD14A72BF849D484BA53EE,SHA256=1967488D120B6DF3E0DF8E5F43315123554AD9CFF0B413B3FD3CDDC37EC82521,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905671Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:43.872{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97248157FD5DE5500C4BE8A088AD299C,SHA256=3D9142C4B958018ADD56C02B6BB33B673CC7895FC044E385A4D0EA599C2D104D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:43.639{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6196E5E2EDC0B19432236EB02DD54176,SHA256=B3DA2B6F8A0F463FF7B795484B9416C6123C21E140FF786709021B1B60D4B54A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:43.264{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4D9866AB8848AA233C6B00096FE6C8C,SHA256=CDB90F13D1E39F1AB3907CE2AA6D38940C7FF754FE76FBCA8796463333BA22AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:43.264{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8FF1A20BD61AAF677A0428FD4AEC936,SHA256=DC72E3AE63BD4D4CDD9EFBE3AB572E088F5E8D0BFDD1E517B0AFDFA61C9FB841,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905673Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:44.888{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=771D3D7068C110352D6CAADC20625E45,SHA256=1DEDCD5B4AEF4C58D8C978D8E180508F4D67F2B1C31B7265108C20DF26AA84A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:44.702{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF3B27CC6221E79FF6C94409F8ED5514,SHA256=8B7DDFBC3E1AB84C5AB3FF841D715DE7DD4CAB2F8B679BEA84423D9FB4DED46F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055905672Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:21.741{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62984-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055905674Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:45.919{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB8DA245C63438CA3BC391F95E5ACBE3,SHA256=3A4060A2970382739AE17D496FFD8EADA9F3BA5DC4099294CBF2F43FCFBC4B07,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:45.889{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A37B341BA16E1FE2E5B3E69A8DC704FE,SHA256=00BA288CDC07AB72D62F532B82269F5A65BB5FBE35856996FA0D288C0EE03546,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107409602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:52.548{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61666-false10.0.1.12-8000- 10341000x800000000000000055905701Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:46.966{B81B27B7-A53E-618E-C042-01000000CA01}53123184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905700Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:46.794{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A53E-618E-C042-01000000CA01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905699Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:46.794{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905698Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:46.794{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905697Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:46.794{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905696Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:46.794{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905695Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:46.794{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905694Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:46.794{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905693Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:46.794{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905692Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:46.794{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905691Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:46.794{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905690Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:46.794{B81B27B7-F665-6183-0500-00000000CA01}412532C:\Windows\system32\csrss.exe{B81B27B7-A53E-618E-C042-01000000CA01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055905689Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:46.794{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A53E-618E-C042-01000000CA01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055905688Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:46.779{B81B27B7-A53E-618E-C042-01000000CA01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000055905687Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:46.106{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A53E-618E-BF42-01000000CA01}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905686Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:46.106{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905685Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:46.106{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905684Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:46.106{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905683Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:46.106{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905682Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:46.106{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905681Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:46.106{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905680Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:46.106{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905679Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:46.106{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905678Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:46.106{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905677Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:46.106{B81B27B7-F665-6183-0500-00000000CA01}412428C:\Windows\system32\csrss.exe{B81B27B7-A53E-618E-BF42-01000000CA01}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055905676Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:46.106{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A53E-618E-BF42-01000000CA01}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055905675Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:46.092{B81B27B7-A53E-618E-BF42-01000000CA01}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000107409659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.733{3BF36828-A53E-618E-5D11-01000000CC01}54324576C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107409658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.733{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107409657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.733{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000107409656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.655{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.655{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.655{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.655{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.655{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107409651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.561{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107409650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.561{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107409649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.561{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107409648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.561{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107409647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.561{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107409646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.561{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107409645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.561{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107409644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.561{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107409643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.561{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107409642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.546{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107409641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.546{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107409640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.546{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107409639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.546{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107409638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.546{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107409637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.546{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107409636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.546{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107409635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.546{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107409634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.546{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107409633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.546{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107409632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.546{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107409631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.546{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107409630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.546{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107409629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.546{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107409628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.546{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000107409627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.546{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107409626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.546{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107409625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.546{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107409624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.546{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107409623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.546{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107409622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.546{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107409621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.546{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107409620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.546{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107409619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.546{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107409618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.546{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107409617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.546{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107409616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.546{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000107409615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.546{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107409614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.546{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107409613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.546{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107409612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.546{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000107409611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.546{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.546{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107409609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.546{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x8000000000000000107409608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.546{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.546{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.546{3BF36828-9797-6185-0500-00000000CC01}420412C:\Windows\system32\csrss.exe{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107409605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.546{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107409604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:46.531{3BF36828-A53E-618E-5D11-01000000CC01}5432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000107409768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.925{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107409767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.925{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107409766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.925{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000107409765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.753{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD244F59BADB2C4E7783EC2916C7BD31,SHA256=DC039F3C7CCB41212AEE6224EC0C95EB8E35697FC3E9967C2F1C8FF575B53A94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107409764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.722{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107409763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.722{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107409762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.722{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107409761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.722{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107409760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.722{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107409759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.722{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107409758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.722{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107409757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.722{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107409756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.722{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000107409755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.722{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107409754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.722{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107409753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.722{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107409752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.722{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107409751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.722{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107409750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.722{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107409749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.707{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107409748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.707{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107409747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.707{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107409746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.707{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107409745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.707{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107409744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.707{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107409743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.707{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107409742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.707{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107409741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.707{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107409740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.707{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107409739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.707{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107409738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.707{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107409737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.707{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107409736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.707{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107409735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.707{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107409734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.707{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000107409733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.707{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107409732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.707{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107409731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.707{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000107409730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.707{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000107409729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.707{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000107409728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.707{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000107409727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.707{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107409726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.707{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107409725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.707{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000107409724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.707{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107409723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.707{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107409722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.707{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107409721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.707{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107409720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.707{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x8000000000000000107409719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.707{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.707{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055905704Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:47.454{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A89F745D40549BB2E0B8770644B94339,SHA256=EB857A9918462CF18FD81F394EEA4C559C82C7FB8269245780C78E486ED05A6B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905703Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:47.454{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8585AB65E00E9620AEE4FA9C4787C6C8,SHA256=F3339AA012A4786409FA4A04F704EF32CCC7A879A5067FF5D43988BFD907D3FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905702Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:47.454{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=889861814DB9B234F90C7B90D3818B0B,SHA256=D7B21B90FEBF1360B375BE17DA4C02BD69DC92811E2C81DC4644F325EECEBA7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000107409717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.707{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.707{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.707{3BF36828-9797-6185-0500-00000000CC01}420536C:\Windows\system32\csrss.exe{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107409714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.707{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107409713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.692{3BF36828-A53F-618E-5F11-01000000CC01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107409712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.535{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4D9866AB8848AA233C6B00096FE6C8C,SHA256=CDB90F13D1E39F1AB3907CE2AA6D38940C7FF754FE76FBCA8796463333BA22AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107409711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.300{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000107409710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.300{3BF36828-A53F-618E-5E11-01000000CC01}56406044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107409709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.300{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107409708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.300{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000107409707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.139{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107409706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.139{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107409705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.124{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107409704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.124{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107409703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.124{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107409702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.124{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107409701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.124{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107409700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.124{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107409699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.124{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107409698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.124{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107409697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.124{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107409696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.124{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107409695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.124{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107409694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.124{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107409693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.124{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107409692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.124{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107409691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.124{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107409690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.124{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107409689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.124{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107409688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.124{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107409687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.124{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107409686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.124{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107409685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.124{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107409684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.124{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107409683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.124{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107409682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.124{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107409681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.124{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107409680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.124{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107409679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.124{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107409678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.124{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107409677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.124{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107409676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.124{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107409675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.124{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107409674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.124{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107409673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.124{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000107409672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.109{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107409671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.109{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107409670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.109{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107409669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.109{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107409668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.109{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000107409667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.109{3BF36828-9797-6185-0500-00000000CC01}420436C:\Windows\system32\csrss.exe{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107409666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.109{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.109{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.109{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.109{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.109{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107409661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.096{3BF36828-A53F-618E-5E11-01000000CC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107409660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:47.093{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CE624314C5B60DC6CAFE5EF3E0F61B5,SHA256=7F50796843F94DAB18466AA674E854CC5F98B136A98A59C94EEDAFE0A9B90F93,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905705Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:48.454{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7167DF546B29C576CCD3C356C51E528E,SHA256=D1D8C5328792417A44E1C6259B7D77A1CE414E940712AF4A60729B40811B2733,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.753{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A82A11856089C05771116B4DD82F84C4,SHA256=58D5379F54374D7D7E09220426CD4A003BDE1EB4B2511DCA26C6F70609C8B54C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107409820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.566{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107409819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.566{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107409818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.566{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000107409817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.425{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107409816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.411{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107409815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.411{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107409814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.411{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107409813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.411{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107409812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.411{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107409811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.411{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107409810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.411{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107409809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.411{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107409808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.411{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107409807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.411{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107409806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.411{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107409805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.411{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107409804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.411{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107409803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.411{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107409802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.394{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107409801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.394{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107409800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.394{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107409799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.394{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107409798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.394{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107409797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.394{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107409796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.394{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107409795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.394{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107409794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.394{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107409793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.394{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107409792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.394{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107409791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.394{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107409790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.394{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107409789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.394{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107409788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.394{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107409787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.394{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107409786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.394{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107409785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.394{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107409784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.394{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107409783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.394{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000107409782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.394{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000107409781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.394{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107409780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.394{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAC94FCA8E3115054790EFFED8B0B629,SHA256=2A6B7C7CFB4E6CCC43ED54A857B9350AD462A6DEA6EECDD30C192310DEDE0C9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107409779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.394{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107409778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.394{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107409777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.394{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107409776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.394{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x8000000000000000107409775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.394{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.394{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.394{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.394{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.394{3BF36828-9797-6185-0500-00000000CC01}420436C:\Windows\system32\csrss.exe{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107409770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.394{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107409769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:48.379{3BF36828-A540-618E-6011-01000000CC01}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055905707Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:49.501{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FE12A335C508AB04C778A3A1F76539A,SHA256=DFA53DC0AE483ED581E94D9C0B3D2821A5AF35A4F56E1E776AA1E53993A62406,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107409926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.957{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000107409925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.957{3BF36828-A541-618E-6211-01000000CC01}58801436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107409924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.957{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107409923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.957{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000107409922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.753{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107409921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.753{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107409920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.753{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107409919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.753{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107409918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.738{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107409917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.738{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107409916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.738{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107409915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.738{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107409914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.722{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107409913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.722{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107409912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.722{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107409911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.722{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107409910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.722{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107409909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.722{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107409908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.722{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107409907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.722{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107409906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.722{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107409905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.722{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107409904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.722{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107409903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.722{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107409902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.722{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107409901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.722{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107409900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.722{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107409899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.722{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107409898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.722{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107409897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.722{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107409896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.722{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107409895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.722{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107409894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.722{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107409893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.722{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107409892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.722{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107409891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.722{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107409890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.722{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107409889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.722{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107409888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.722{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000107409887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.722{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107409886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.722{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107409885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.722{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107409884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.722{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107409883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.722{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000107409882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.722{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.722{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.722{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.722{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.722{3BF36828-9797-6185-0500-00000000CC01}420536C:\Windows\system32\csrss.exe{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107409877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.722{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107409876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.707{3BF36828-A541-618E-6211-01000000CC01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107409875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.519{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F2E207C71EFFA226E172D92C0A8C092,SHA256=1BEB9270E4E56D6E63871248C984ED732C975704E3D3B62CEAAE91560DE4A239,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107409874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.269{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000107409873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.269{3BF36828-A541-618E-6111-01000000CC01}33524956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107409872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.253{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 354300x800000000000000055905706Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:27.522{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62985-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x8000000000000000107409871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.253{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000107409870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.066{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C84663D39D5B321E3B0A8DCE062B66CF,SHA256=E915D222F5AB43B598935032C18D8403718980293CDA8A1445E09E26C7F45C5F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107409869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.050{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107409868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.050{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107409867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.050{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107409866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.050{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107409865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.050{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107409864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.050{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107409863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.050{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107409862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.050{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107409861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.035{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107409860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.035{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107409859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.035{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107409858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.035{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107409857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.035{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107409856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.035{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107409855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.035{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107409854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.035{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107409853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.035{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107409852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.035{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107409851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.035{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107409850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.035{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107409849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.035{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107409848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.035{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107409847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.035{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107409846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.035{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107409845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.035{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107409844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.035{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107409843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.035{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107409842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.035{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107409841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.035{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107409840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.035{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107409839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.035{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107409838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.035{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107409837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.035{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107409836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.035{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107409835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.035{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000107409834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.035{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000107409833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.035{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107409832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.035{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107409831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.035{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107409830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.035{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107409829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.035{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x8000000000000000107409828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.035{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.035{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.035{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.035{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.035{3BF36828-9797-6185-0500-00000000CC01}420412C:\Windows\system32\csrss.exe{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107409823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.035{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107409822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:49.020{3BF36828-A541-618E-6111-01000000CC01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055905708Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:50.532{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E55CA1B2138A5567E26BD0C99A0BE179,SHA256=3E77A5A6B6D5207AE3CA65C64253D1CB7E84D19F46DCC3C1D79BCCE8A7CD9C23,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107409982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.597{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107409981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.597{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107409980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.597{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000107409979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.550{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D667A1520DCBECBB857C87F4A06FF1D,SHA256=756E123686D1901B7D499E66CA8C6FC6C196C85EF782AD690FBD332A78DAE1DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.535{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9885F25CC4ED93908D3445738AD66C2,SHA256=44CB6E0A6051F6852A6064A86FF6DED1EC7887A3A3FF41551D830EE348A5EF2B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.503{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB3C79A66CA647489652A8B028322DFD,SHA256=D1E3264F7FE7BA6A18B57B7581DD37383F93A322C0FB672B5FAC8379478885CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107409976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.425{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107409975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.425{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107409974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.425{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107409973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.425{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107409972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.425{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107409971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.425{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107409970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.425{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107409969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.425{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107409968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.425{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107409967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.425{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107409966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.410{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107409965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.410{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107409964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.410{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107409963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.410{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107409962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.410{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x8000000000000000107409961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.410{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107409960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.410{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107409959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.410{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107409958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.410{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107409957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.410{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107409956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.410{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107409955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.410{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107409954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.410{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107409953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.410{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107409952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.410{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107409951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.410{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107409950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.410{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107409949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.410{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107409948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.410{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107409947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.410{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107409946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.410{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107409945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.410{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000107409944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.410{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107409943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.410{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107409942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.410{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107409941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.410{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000107409940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.410{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107409939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.410{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107409938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.410{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000107409937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.410{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.410{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107409935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.410{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000107409934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.410{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107409933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.410{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x8000000000000000107409932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.410{3BF36828-9799-6185-0C00-00000000CC01}844408C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107409931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.410{3BF36828-9797-6185-0500-00000000CC01}420436C:\Windows\system32\csrss.exe{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107409930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.410{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107409929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.395{3BF36828-A542-618E-6311-01000000CC01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000107409928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:57.600{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61667-false10.0.1.12-8000- 23542300x8000000000000000107409927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:50.035{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98CC72392200F3AB70F947D589A42186,SHA256=167DF5039B61E8A96D183A0E73ACB1A34A8DBAE015163F172278980199C4D100,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:51.536{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D953B5318811D3A5CC07BC862994640B,SHA256=71CBB9525D41478761A0480EB99C7187A3DD5FED0CF0F6F5303FD2EE3F801A39,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905709Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:51.548{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7EA6E0797DB49C11194DF0655577197,SHA256=5D9F5C984250D87946D55327074980687629456C863308869302442FD250D979,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:51.411{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=417C6FB8ADD3ECDCFC99544176728623,SHA256=3179E124E23D049D38BDF11EA774BBC624F056D9EBA7C76C8C5DCAF1CF691C00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:52.595{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2805FDFC0E518017E316FD575B68182C,SHA256=B3EE478FCDA0F1DCB8C94020541066E3073CC038A6B8C018A2AA6348E3246D43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905710Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:52.563{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAFA35C9439A3F3027F27B2AFEB6E75E,SHA256=DD224325462CC7C450FB22202359C6E59E7B5141C900A384E3D072DF111EAE6B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:53.615{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CE165FA4613876C2C2C9031FBC18DFA,SHA256=D58702614F506C3C37F19D30FF12C4AD1D439F36715DB38B2788B3CFE43968FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905711Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:53.595{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CF7D98E94134DA5199A2B12DCB4F0BC,SHA256=602A99D6DB4EAB6D6913AD01BD65260E9C4AE2D4E194D09B00618B8814C109A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905713Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:54.626{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44491456AB85E1448E8ADEE8E956B3E4,SHA256=897682E7DC9FC6872143066B0E121E46DE2B697C74002E728FCD2492D02EF3A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:54.646{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9389149D8898356EDC2D197A61BE8908,SHA256=686A26D1E9C2ADF052293C61184CEFA1C44D4297B6A4CAB25907597375417A8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055905712Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:32.745{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62986-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000107409989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:55.740{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B92026F0434CB081136B2237B68C56C,SHA256=F1EB63F05133AC33C8349E43D328AE1040BA8FBE0338ADD52B364BD21F279BBC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905714Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:55.642{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75D547DB58BA06FCCAF6BB1C08A339D3,SHA256=DCDBF3890485ADA56A48DEE5C6D487615D866ECFFA89DFCF605C8A49052F11D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:55.209{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24AC06684574C1A2ADAFD3175DD2D080,SHA256=12CA492360981C95E761A8AC29544A751A510EA379CC48C6F35A636255EACBC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:56.740{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32E149D18C8944016820F8BAF4015D7F,SHA256=8219262FC8FB92E3E476C3C7D7513E2D10C80E81A4B4B561095B69BD9F9FB511,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905729Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:56.673{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FDD9029FFB66F7BBC4AB5E876E42425,SHA256=2DB1B42B4A9ABC9A30C63BAE3BBCF82CCBF244D3593705E8B17A5149416EFC0D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107409990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:03.602{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61668-false10.0.1.12-8000- 10341000x800000000000000055905728Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:56.564{B81B27B7-A548-618E-C142-01000000CA01}61285508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905727Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:56.392{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A548-618E-C142-01000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905726Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:56.392{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905725Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:56.392{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905724Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:56.392{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905723Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:56.392{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905722Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:56.392{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905721Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:56.392{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905720Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:56.392{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905719Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:56.392{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905718Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:56.392{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905717Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:56.392{B81B27B7-F665-6183-0500-00000000CA01}412428C:\Windows\system32\csrss.exe{B81B27B7-A548-618E-C142-01000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055905716Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:56.392{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A548-618E-C142-01000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055905715Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:56.377{B81B27B7-A548-618E-C142-01000000CA01}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107409992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:57.771{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3409CF91AAAFB9781153AE0C90ABEC49,SHA256=9B3AB5374899376B264C86A2E91813541AFF23A5FE43C30E2BFFB7876C2A9A97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905745Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:57.907{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=259649353CE8899C42DA2CAB8F3CFEAF,SHA256=48F5A98E066691CCC5C5DCC355054D9DD1E019576C21A1F2DEA4D0C4506573F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905744Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:57.438{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01C81AF5EE255B00619B2E5F830F0705,SHA256=534F2247697F16BF1F4C761BDB67CF47A554D41431277FEBF71257D854EF40DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905743Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:57.438{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A89F745D40549BB2E0B8770644B94339,SHA256=EB857A9918462CF18FD81F394EEA4C559C82C7FB8269245780C78E486ED05A6B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055905742Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:57.048{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A549-618E-C242-01000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905741Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:57.048{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905740Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:57.048{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905739Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:57.048{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905738Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:57.048{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905737Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:57.048{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905736Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:57.048{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905735Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:57.048{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905734Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:57.048{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905733Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:57.048{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905732Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:57.048{B81B27B7-F665-6183-0500-00000000CA01}4122712C:\Windows\system32\csrss.exe{B81B27B7-A549-618E-C242-01000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055905731Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:57.048{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A549-618E-C242-01000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055905730Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:57.033{B81B27B7-A549-618E-C242-01000000CA01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107409993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:58.927{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01AF9E310E8D63343B069BF806C5A001,SHA256=9D28B9EDFD5B88506470B253BBAD3F612CD9A32C8991F09EAE556E8A5B0A862A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905746Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:58.970{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64C2E01C7AE373964D6EEE0B6FD75B4D,SHA256=5025634FFE7272D3DBCB16A9E0E654DD6CF60EB2A60D138C1713A00E8A6DDB03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:32:59.959{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFB3CB01C76AB25DC913BDE4D3D13FB9,SHA256=74E277BE25EB0FAB847ABB3D8CF9C076FFF4AE8231670D3618E7169DCFD30C5F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055905776Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:00.782{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A54C-618E-C442-01000000CA01}4416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905775Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:00.782{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905774Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:00.782{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905773Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:00.782{B81B27B7-F665-6183-0500-00000000CA01}412428C:\Windows\system32\csrss.exe{B81B27B7-A54C-618E-C442-01000000CA01}4416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055905772Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:00.782{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905771Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:00.782{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905770Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:00.782{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905769Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:00.782{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905768Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:00.782{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905767Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:00.782{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905766Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:00.782{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905765Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:00.782{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A54C-618E-C442-01000000CA01}4416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055905764Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:00.767{B81B27B7-A54C-618E-C442-01000000CA01}4416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000055905763Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:38.745{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62987-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000055905762Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:00.313{B81B27B7-A54C-618E-C342-01000000CA01}3321412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055905761Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:00.251{B81B27B7-F666-6183-1100-00000000CA01}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A5778657CFB87ACCD9790E778A0C73DD,SHA256=EB5DA75185F6A6378C93AEACC6E7DE8EB04B35F296FDA9BBD2DA0F1D602AD123,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055905760Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:00.095{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A54C-618E-C342-01000000CA01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905759Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:00.095{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905758Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:00.095{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905757Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:00.095{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905756Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:00.095{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905755Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:00.095{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905754Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:00.095{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905753Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:00.095{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905752Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:00.095{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905751Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:00.095{B81B27B7-F665-6183-0500-00000000CA01}412428C:\Windows\system32\csrss.exe{B81B27B7-A54C-618E-C342-01000000CA01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055905750Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:00.095{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905749Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:00.095{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A54C-618E-C342-01000000CA01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055905748Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:00.080{B81B27B7-A54C-618E-C342-01000000CA01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055905747Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:00.095{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A857DF15AD5AA898030000C84C19A943,SHA256=80F1B5D41C541E7238D786ADA43E2FAE2A9D4C2042D6370849F1115995A73088,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055905792Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:01.361{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A54D-618E-C542-01000000CA01}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905791Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:01.361{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905790Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:01.361{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905789Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:01.361{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905788Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:01.361{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905787Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:01.361{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905786Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:01.361{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905785Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:01.361{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905784Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:01.361{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905783Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:01.361{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905782Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:01.361{B81B27B7-F665-6183-0500-00000000CA01}4122712C:\Windows\system32\csrss.exe{B81B27B7-A54D-618E-C542-01000000CA01}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055905781Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:01.361{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A54D-618E-C542-01000000CA01}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055905780Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:01.348{B81B27B7-A54D-618E-C542-01000000CA01}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055905779Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:01.345{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EDAAB56EAB3F54A69690B0BB8D7CBF9,SHA256=E7223A07DDF660BE491F2633D046B6D02FF803330DF36D0323C6EBDF5EA1FCCB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107409998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:09.477{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61669-false10.0.1.12-8000- 23542300x8000000000000000107409997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:01.084{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F11132F55A1575B4C68534ED5A7B02E,SHA256=0AD6F270D439AD5C3B2A603E62CE4E3E4AFFA005F4985E963220CDBCB1F6D415,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:01.084{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAB2AAAB56557EF5822384F323C8F3F5,SHA256=C9A5A9C198B8E05DC7AFC6549EA59BD6F26D27745C5A319AAF14E76F1CD32C36,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:01.068{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DE07C06CAA03115B3F3F9FDFFA242BC,SHA256=944C47DFC119A2997FFE18078EE28F05CB824BE0678ACDB58E69B9B06AB415D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905778Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:01.110{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01C81AF5EE255B00619B2E5F830F0705,SHA256=534F2247697F16BF1F4C761BDB67CF47A554D41431277FEBF71257D854EF40DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055905777Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:01.017{B81B27B7-A54C-618E-C442-01000000CA01}44166124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055905794Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:02.360{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=263E5ED1E88ED44580F11FF79173DA51,SHA256=50400FA4025FA2337AA4C970A515D8E25C433FE1D7244D10AD6FCCB2A7C4C3E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905793Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:02.360{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A32BB785B8DE0F789038BAE38A20148,SHA256=60234E7250A792F1765966EEABA2C2889275877E278BA6A6C42498E93AA020E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107409999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:02.162{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9990CD46F70ED8225CF113C6E63F893C,SHA256=2379F432150CB3B3BB6704B42889524197D374A15B3C2E72673D0199BDB5E1FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905795Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:03.517{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8CE2BEBD5BCB3A6212A4C54C8CA2446,SHA256=8763BCF92CD7FD379F64F5C13830925F765157D0C690BD19110A433BFC203362,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:03.302{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF7C9673E49902F5E83C810451355645,SHA256=A2738D72507C5151D42B7D1D86958A8D17642895029C071FD288D4870A79981B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:03.256{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F11132F55A1575B4C68534ED5A7B02E,SHA256=0AD6F270D439AD5C3B2A603E62CE4E3E4AFFA005F4985E963220CDBCB1F6D415,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905796Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:04.532{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7EAFE1B26EF089F4BFEDEE7CDA5D454,SHA256=10212C1EE64C61E3D529EF9C0E344C3CD2D563135992FED45ED641AD9E1171F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:04.318{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AB9DDA8C3F802F1AA0C0B2AA710CD4F,SHA256=F177C0EA063F853C94EEE2F2C29F2800384BBA51CE37996AF55D97D073D07FC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055905798Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:44.588{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62988-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055905797Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:05.548{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95E5520971E6C44C01650FE35F872388,SHA256=CE99CDCE033DD5A4EB9592442CECF8042E5661E3623FDB99F251A0E812C4628B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:05.412{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5738062A24129B9CE1729E5AF2A25D68,SHA256=DB24D15328C0CE187720482CDEE3F4AA94FD79C0ABBAB5C82AD4602D48F81CAD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905799Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:06.564{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=315BCDE7B1632DD7F2707D81A3641371,SHA256=1425A5E7284BA5E6BB0A437BC791E8630474B8DB8982A60E00A6A86DBB10F071,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107410007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:14.649{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61670-false10.0.1.12-8000- 23542300x8000000000000000107410006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:06.427{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A860CACACE54AE55A03DCD03423E86E4,SHA256=A2A919EF1C2EDCBE5BE90C38A3C28D534427EA61919FE79A395303DB78983C62,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:06.287{3BF36828-989D-6185-BF00-00000000CC01}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:06.224{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D9C6C0A43E5ECC4C82EA16A659FF9A0,SHA256=FD1BB6C1DC6EB926D8BCE0F931342907EBB3A2777CE366AEF195C2A94E8E7C23,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905800Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:07.578{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EAB6FD731B99E83426975330EC1700A,SHA256=D5E4DEBDFE0BE64C218624F79805BA47444154DEFE012F722C641E10201F4A86,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107410011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:15.493{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61671-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000107410010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:15.493{3BF36828-97A9-6185-2800-00000000CC01}2876C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61671-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x8000000000000000107410009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:07.502{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECA209F0737A3CB182F506558E3F375B,SHA256=E6FE9DC7BCEC32B62644A7C971138FC4FDD2197ED904C746FD54EF0FD0309641,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:07.298{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A167DAEE44D214D9F064842552AF68F,SHA256=E4F941559FE10155C872479FB45F456405E768489A337ACB5CDB1FBCE1A3D92B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905801Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:08.593{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AECAB9B84955ED7AE09E102CFDE9D81,SHA256=12AA2F37D74EFB4F7A31702DDDBC3C98A64F925EBE97A7A3AFC9DE2427254CEF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107410013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:15.696{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61672-false10.0.1.12-8089- 23542300x8000000000000000107410012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:08.533{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=926F63237400F19BEF9F3410B392DE95,SHA256=9398A3EB7489F2D22087BE9275CB65EC3797F8ED7085C738EE194F33D21E0101,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000055905803Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:33:09.828{B81B27B7-F666-6183-1200-00000000CA01}308C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7d7eb-0x5c67605e) 23542300x800000000000000055905802Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:09.609{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F00F922746579BDE6CCD877611E3E9CB,SHA256=9469E2F215B8D43B11460A8A4FB67EF8B58022D6A76D865F492B19DA6263E91D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:09.908{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=658871F032AD276DE6F461238C1D7E9A,SHA256=C7B1EC30D58583998EBA6AB2CD3B4256127E0189EB8A33D014B63552F4D715AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:09.533{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=175A8FAF4095A5855CF731479376F2C5,SHA256=069FE54726A48489D11FACCEE615C3504AAE80115440E04EDDF07253936F4FCB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:10.767{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F74C631A34FFC0FA4413E1A68FF8F315,SHA256=C6A68850D42EC387708721798312DC942CB403CAF03DDD41809D758EE9D82B7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905804Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:10.626{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F00288A11E0A966417CF3E4771F1785D,SHA256=CFDD678DEF354B6DD5C7E1F85BBC28AC96668B5436D3282102DD22C436236E1C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:11.861{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D4CA29388DD0BBA80EC567A64BCAED2,SHA256=772E9C05B2404F68876E721201CB6E9C3894BF315EF58579356D43FA0117DE32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905805Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:11.704{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D73061F8F665B78878ED8B3AF5074FEC,SHA256=807D6266C2A63049C0C7F72629A1142148312508F170541606414763B882FF03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905807Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:12.736{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83A276E809AA43C5096DF84CFF5F139E,SHA256=B04A72CF94FD4EEA3827D5C835E221F3B80374D87B755B3515233CDB3BE8C8CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:12.908{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93647A584823178EBE5FF45872D52FC8,SHA256=CEA27BC49BD5D2A876977D56B3E9139FEBBD9B13B32D257EA4E0063D4A3F41C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:12.127{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CACD5BA68D36CB5A67B693F3522FD008,SHA256=BD7CB72F6FD2C68B97AA8952C112D5FA037839B586C70AC0A8D7CD391F7B83BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055905806Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:49.743{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62989-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055905808Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:13.751{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C88323AE51984AD66D99924572189D7,SHA256=B057267C6AE0C977C325832F19BC83714EE6E228D4D3C8ED16631D46B4878920,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:13.908{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32EFFA9958448E93A6C2127A13ED3EC1,SHA256=8156F43B3A36A13900198DB2F275677F96DD864581200E9B840054CA9F2E2931,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107410020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:20.489{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61673-false10.0.1.12-8000- 23542300x8000000000000000107410022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:14.908{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=271D8B21D927E91291DD81DE21E7E4EF,SHA256=CB984AE45D8787BA05442B89968C3125E2E88248B313765DD973FB1E6F3CA4E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905809Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:14.767{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F263FEDAA370D0C45A1EB3816827E525,SHA256=9D51204D6E07AFD12052C6411719AA7A5303B78A5DD95F9710A6A7DD89E81E9E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:15.970{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=947F2D06D7B970371407F859898AADCE,SHA256=826C3AB7F2FFDBF0ECC56B7634EC8A7C87F8E81D7B1B4E1FB59D572F3C917082,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905810Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:15.782{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5160C7C1553D3E939333AE500F014DEB,SHA256=028F3A679E36CD9E244827B806116984BEA110BAC87247ABCCD88194B7D3D308,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905811Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:16.798{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A4112E894F6EEC0C2BB1E477EC44EDF,SHA256=9427453F02685F277F6AEF72231FF0C4029EB7E14C510AD66CA0108886E737B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905813Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:17.814{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1BB18DCF8CB9011701DE26C4FB52AAF,SHA256=E714AF150A39791B9090FEB5AEE46133CFAD0C538023DCD0ACB3431D8AA0C15A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:17.017{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C1A2C56C6C8A6419343A01FBDD61525,SHA256=7C6D01A3A059027CE4EE4A8C898F36F9190233BE5FF4B32A839399A3E7015121,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055905812Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:32:55.591{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62990-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055905814Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:18.815{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F72DFCA1CF3AEC4755B068CCC4991399,SHA256=7A6834CBECC59F9575218BEF23B6D06ED69568FDFD2F6BC5966532D51FC10CED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107410028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:26.442{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61674-false10.0.1.12-8000- 23542300x8000000000000000107410027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:18.017{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6847FE1406766061B3251BB8D4E76239,SHA256=E8E39A1BFF547BECC5B42016FB601A338AC3CDE67C600F91607A4CAACDEF7ACF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:18.017{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0951E908E48211F4CAC4C18676E1FE9,SHA256=585B1CB7993040BA729B8EB7EB03FFFC66EB3C6F626155E6E0DC24BB64EF21DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:18.017{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08728A842186D79B41D71972827CB299,SHA256=A1343CC8F1F28A29AAA3998902E07F265FB92EA04DD0AAAC9E1B4C5D1070DFC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:19.236{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9B5B4FF5534E58FDEA2212F7A18E78E,SHA256=4FFE25325449D5A81BE76CAF54024404013CA8E0BEE83509034E606EEDA6859C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:20.689{3BF36828-9799-6185-1100-00000000CC01}424NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FC3F527158A464BAE0CF069CD08D46D4,SHA256=860075707A4542F45B16BB86EDEDD80147931CA9B50CA990E76C4D8EFDAF7380,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:20.314{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32F5983DEFDBB26B7F29992D12317C0E,SHA256=07F9344FF717F31F7AB84909AD2EBEEFF458600029B8E162AED3F2FE2182ABDF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905815Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:20.031{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4354E2ED3D95632E595942DAADD2F49C,SHA256=C500FEC9442C5233222F59B3537454B4B0F4CF5B8EF76070D6E7EB010695322C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:21.533{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F17D1ACA80EF10837217B3A8B38A665,SHA256=3AF2CDA0F466A3AD4CAC3867C59A08ED0D0B7E20DBA0AE1E98B6AA8869A204FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905816Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:21.066{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F102BD6CB1133564B4085D09A7F22480,SHA256=7BD8B5BA070D93D36562A95B4365A81807343303831735DA964C361CFD18BF44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:22.595{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C85DDB854048877EA8AF2A4F724DE33,SHA256=310D33B9BBAF37058EA3BE75BCDE227E4FD918D1842AA0595501DD36FC3478C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905818Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:22.253{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5CDE5B0EFE7DCE49ACA77A0245FC074,SHA256=268FD1F11496BBC94FF6372CCFCC9FD2E2BEE3D5E0C2441DCD8602A1AFC79B65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055905817Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:00.695{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62991-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000107410036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:23.627{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=262A18F1F844DE43F516CC038791026B,SHA256=6E0AF8B53E2F724F4B844E292D9A605394F236B300BED5A24B7217B520A7EF32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905819Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:23.285{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=731013F75B65A65FD18B55F455B909DE,SHA256=E04782A00ED8E16A5206C8B0E884087A9EBEA39C8B4439D38D81AB71B7713F9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:23.189{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=277A875922F0A6D60513117378B5A83B,SHA256=987FD73C26D3D4588D662E1305220D2431BD6D3F7189AE7CE5B543A95E811DEF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:23.189{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6847FE1406766061B3251BB8D4E76239,SHA256=E8E39A1BFF547BECC5B42016FB601A338AC3CDE67C600F91607A4CAACDEF7ACF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:24.783{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60CE35DE6071F6A1F1EED3DE00E0FAD4,SHA256=90DCE8BF3165F1D2099661E583B3BC208CED06352540E8B92856DE8753E9CE79,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905820Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:24.300{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=168C84EC61713A426825460139275572,SHA256=D2F18D9728B5A6E8466080611D6C83264658B9671FB4B672D99DB4BA83A8018E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107410037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:31.646{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61675-false10.0.1.12-8000- 23542300x8000000000000000107410039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:25.892{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B7AC90D3998578594EDE07ABF63BF7C,SHA256=11B46E320D3EA8A69500A6831B8E1C377175F40FE6DC9E1FE46CABD975979A1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905822Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:25.331{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5C9ED07CC6CAEA1A65D419A03603E19,SHA256=AC928906EBC9AD38F35C19B30EF27B088C75E3541AB3EF2E3032EB56AD012DD2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905821Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:25.050{B81B27B7-F667-6183-2200-00000000CA01}1748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:26.970{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D6E7C69C0063D70155ECF205F2EECD9,SHA256=83D9E9C8AF1D6C80D3CDBA4B83422F808A6583B9B30C778ED1BFE629DA73B410,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055905824Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:05.526{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62992-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000055905823Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:26.378{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51C2F80F6E9559C460A346E3AECA7058,SHA256=B44C795557F4DC802D404330C70D43C75B7EB4B4479D3520A08C70D600B598A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:27.980{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=136AE59BD7CE4916031B72ED37D3640E,SHA256=D9FA934D77E9CC08B674B132F03581D351F54A18CCC47302D088F14371B7D657,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055905826Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:05.760{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62993-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055905825Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:27.386{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35F034BE1774872641AE7C8725049B24,SHA256=AFF1847F2B932BCF2531628D52BE5A35B000F23C98E3AC0CEB6B8A63811DD432,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:28.980{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1199B251B905491DFA83E7DEEA62872,SHA256=A1E0D26DE239922D976E9704135C81E64CDC01E7BF4D78504AA89B84C832CED2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905827Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:28.401{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C279AB3A2806632788865C97BD09F91,SHA256=A972B890F5256A0534FE3EA8542CBF4F96DDF8B536BBEDF3B8857551BCC9BACD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:28.199{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FBF9B48505EF66A2E38F68E2975BAAD,SHA256=3245B6C23C3583F617F2EDB5D7CD26B7F9832E1FCF9C34D0B110D2720D6C360E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:28.199{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=277A875922F0A6D60513117378B5A83B,SHA256=987FD73C26D3D4588D662E1305220D2431BD6D3F7189AE7CE5B543A95E811DEF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:29.980{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F8FA4D86ABFCEDC03F6CE21CE873E4E,SHA256=FE7A2BFFB712E057492514CE082BBB215CEB05BEB664724C9B26916E1B9CF35A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905828Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:29.432{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D436D4491DEC8770B320E6DC78D4D6FF,SHA256=64756D6A0F422C12B743AAA720FEEAEA2D4F9E2E0EC29A9807019308F24650E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107410046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:37.624{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61676-false10.0.1.12-8000- 23542300x8000000000000000107410045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:29.355{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FBF9B48505EF66A2E38F68E2975BAAD,SHA256=3245B6C23C3583F617F2EDB5D7CD26B7F9832E1FCF9C34D0B110D2720D6C360E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:30.980{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A76AC6FAFD10CDEBFB203260D4A0C79,SHA256=4B25DB0AD55FDC290A153F14B530CD2254CF0582BE8BF86937AB19049692E205,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905829Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:30.479{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1419FC04B774FBDF132DC635C6D5F13C,SHA256=9C0895D8332052AA552A49940D7B1E05B88BEF2092528F85A4015BBB71B29F75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:31.980{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F71D694570CCBCA2479306ABA6C44113,SHA256=4FAF23E3AE0D2D66D0D9705BB355B7D5C33EF96FE48964B73A1400EB21E31155,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905830Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:31.495{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05D3C1F337B261E80BC05D797BBD72CC,SHA256=A894761678AE5D76E69FBD03C490C75C1E30DBBAD1CED40D9022F0D1A477304B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:32.980{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C8EAE648F667F0E063FB2A7F85EE372,SHA256=4F08B422EBF3C65BB0087AF47FA33C275DAABA6C082BBC1E0DF6682035B775C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905832Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:32.526{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C5E27E59394C2CD06887B352D6F23F7,SHA256=371D17582DAAD2BA5EC2D68DE7B0A4ABCCBA3A4AE923CCDB92E6B3A02A9C7775,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055905831Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:11.674{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62994-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055905833Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:33.557{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEC8858010C5108A16B0D0711D98796B,SHA256=E4121A5A0FE13CD42C2855D1821203B6F5D8785090649AB39AC5C73C3F9F9371,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905834Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:34.589{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=367B43BC433299B7FD0E508359932396,SHA256=0FB9A37FF71535393C0A0087F141694124E025864B628B3DDFC07C3907138271,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:34.152{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81CF0812B24F7AA94EE7667A93C46CBF,SHA256=6C402561154D5F8EC2938D41F36E095A0DEB60C5C2194171E340A75733BEF26B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905835Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:35.604{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B55C9BE2181B4E6655D2CE2A39851DBA,SHA256=E512D84794900AE47CCD06BB8E8DEA9C9DDDE1F085BBB84E2DC756F038D4CAD4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107410058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:43.562{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61677-false10.0.1.12-8000- 13241300x8000000000000000107410057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:33:35.652{3BF36828-97A9-6185-2E00-00000000CC01}2972C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\D370F6FF-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_D370F6FF-0000-0000-0000-100000000000.XML 13241300x8000000000000000107410056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:33:35.652{3BF36828-97A9-6185-2E00-00000000CC01}2972C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\CA735696-6C26-4910-BF98-1B50C97DCBCC\Config SourceDWORD (0x00000001) 13241300x8000000000000000107410055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:33:35.652{3BF36828-97A9-6185-2E00-00000000CC01}2972C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\CA735696-6C26-4910-BF98-1B50C97DCBCC\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_CA735696-6C26-4910-BF98-1B50C97DCBCC.XML 23542300x8000000000000000107410054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:35.324{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B40CCEB1CE035E096690B1530064078,SHA256=8658FF6BEA1CE86ACEA76D3091260EBE810D5194CCC0BAA84F3B0AACD67EA123,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:35.292{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5737F12F8B165E0FFC12632FC36088EF,SHA256=2F7723F73B37BF1884723CD445A381CBC415F245578CDBD68209E99018D061DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:35.292{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E01C007946713B9FB6E3A2F98F06C96D,SHA256=CB7D99E444DE0729956CE010A9914D56F62F7C9BA44D60F4EA1A0582F953375E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905836Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:36.636{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61060FC743E91B063D978D1123677ACC,SHA256=6BAA17ECF1C812A278BECD94541CDA1D72DA3A1831FFD395130A35ED7916615C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107410064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:45.084{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61679-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x8000000000000000107410063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:45.084{3BF36828-97A9-6185-2E00-00000000CC01}2972C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61679-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x8000000000000000107410062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:45.063{3BF36828-9799-6185-0D00-00000000CC01}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61678-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local135epmap 354300x8000000000000000107410061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:45.063{3BF36828-97A9-6185-2E00-00000000CC01}2972C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61678-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local135epmap 23542300x8000000000000000107410060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:36.636{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5737F12F8B165E0FFC12632FC36088EF,SHA256=2F7723F73B37BF1884723CD445A381CBC415F245578CDBD68209E99018D061DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:36.339{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41D362C8989098BB3F5A1FB73A0C8E39,SHA256=5B301BED4649695EDCBD9D245AF0FCA5A67D140B74394BDAC9EDFB5CAD526904,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905837Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:37.651{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D76D635BEEB9A303C4E4321C4C20A52,SHA256=9431DF9D84E07742090AE9582D68A311F58E674456AE53C6CFF891D7FF51FC89,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107410067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:45.095{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61680-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x8000000000000000107410066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:45.095{3BF36828-97A9-6185-2E00-00000000CC01}2972C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61680-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 23542300x8000000000000000107410065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:37.339{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=921E15B32E4CA14A7AD254C224D55B20,SHA256=240BD1F45E42B824976D5DD79004B5307B1458B3BC6BA825A14CDCA8ABFE54D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905838Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:38.698{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F30F604DC95D390A936E1F3DCBF1BC1B,SHA256=A0CB63F9105755F3FFBEBF5FEFF6F9586BD220E8B9F026129DD5575BD3D29460,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:38.355{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2EF4EE09EBA5740522E8B9FD3956973,SHA256=2F849AFF6A67675BFA3BD09A6100B8757119E79A0A2F2C916D785C9487164AF0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055905840Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:17.580{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62995-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055905839Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:39.729{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=748D1DEFA7D3D42E795E5AEC7780F85E,SHA256=D440F7ACC2A228DD5F1B920001956FAE92E37D8C0BCEF36CED707C33772D96A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:39.417{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F0F51198B45B8518DE59D93164E61F2,SHA256=8AD0F282D20170A12F4F0C7C319C8C497B3F79FB08067CC104233AFCE2E6E34E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:40.652{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB07590A17E52085BD29038C9D9E5D18,SHA256=61E0F57E910258024D064B7913CDBC601BD1D4D600732D18284CEE136D8B10D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905841Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:40.745{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C388D39E27AECD3C4A19063CF3BCDF8,SHA256=A040D15E58CC4AAAD64458D1C1ADD292C67E4C29BF1EE9997EBB5E441D617BCE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107410073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.468{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61681-false10.0.1.12-8000- 23542300x8000000000000000107410072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:41.871{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B33C60FF6FD3D9DF48562312A8D6B43E,SHA256=F07D5796BCDD928204A828EB6936507513EA1C34D5FF0704CB426DFBE639FFB8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905842Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:41.761{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F02A9F1EB249D33FFBC53D655D69BB85,SHA256=4F3E08E5D3F83D7C785065D53BB849D5095867BD14009978FEF1B969CE0ECA5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:41.074{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24E8DAC8859B28F1C54DB5EC00834C53,SHA256=063106049A3D1425665B21DDEA6B2565E5779E26BA620589FC256DF47769AC46,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:42.871{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFC7B350846BF6E3CD51A440AC7AA926,SHA256=8124049D31FD89F4E8374054A0C22393AC3AA06B148BAD7CA51512AEF455B040,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905843Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:42.792{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B31B6D70B7098DF8C5988127BD65A29,SHA256=E54612C8AB1B35C3D095ADECA2EBFD24A0C835EE6F390ADA116638C4008B14E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905845Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:43.807{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCA02EE035EE9194D502443E77F41C0A,SHA256=976AAF76CF2579CE1BD5C54E278552223598871B3B77DB492720B62468FCB7E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:43.199{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D616815766BDBC2ECCFF86F1EB85ABD,SHA256=EDAEA5506F8C74D4DEBF012515E7611CA182A0012C183F65093546C79526BA81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055905844Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:22.611{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62996-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055905846Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:44.839{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DF745375F6F9C84640D5026EBF457DE,SHA256=7FBDDE89250ED5B6CE41350F5EF0579BEE5710C15C3B74252A63B22815C998BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:44.105{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CED2D6515CF54CA8A1BBCAFEEA388FD,SHA256=BB14C2879C3A1FB9E0450610D56D9DA591DDAB650AFABD043A695B91B82D5FE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905847Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:45.870{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5731223F0BFA2244F2C9CBAABE0FA4D7,SHA256=7EA0EBB2023B7E9C7BD09C71EEE81AD3F3E5CF44132FF82838481F7F96FEF8F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:45.261{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F14E54738E573CC1350B81A92C36C7EA,SHA256=E8D925655114EA0A0D7B27DC4DECBB6DB5238E3E697151270909BE1827312D07,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055905874Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:46.964{B81B27B7-A57A-618E-C742-01000000CA01}47765796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905873Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:46.792{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A57A-618E-C742-01000000CA01}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905872Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:46.792{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905871Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:46.792{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905870Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:46.792{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905869Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:46.792{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905868Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:46.792{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905867Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:46.792{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905866Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:46.792{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905865Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:46.792{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905864Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:46.792{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905863Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:46.792{B81B27B7-F665-6183-0500-00000000CA01}412428C:\Windows\system32\csrss.exe{B81B27B7-A57A-618E-C742-01000000CA01}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055905862Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:46.792{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A57A-618E-C742-01000000CA01}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055905861Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:46.777{B81B27B7-A57A-618E-C742-01000000CA01}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000055905860Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:46.104{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A57A-618E-C642-01000000CA01}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905859Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:46.104{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905858Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:46.104{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905857Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:46.104{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905856Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:46.104{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905855Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:46.104{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905854Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:46.104{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905853Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:46.104{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905852Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:46.104{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905851Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:46.104{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905850Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:46.104{B81B27B7-F665-6183-0500-00000000CA01}412428C:\Windows\system32\csrss.exe{B81B27B7-A57A-618E-C642-01000000CA01}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055905849Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:46.104{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A57A-618E-C642-01000000CA01}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055905848Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:46.090{B81B27B7-A57A-618E-C642-01000000CA01}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000107410130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.730{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000107410129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.730{3BF36828-A57A-618E-6411-01000000CC01}53564016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107410128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.730{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107410127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.730{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000107410126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.558{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107410125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.558{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107410124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.558{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107410123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.558{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107410122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.558{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107410121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.558{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107410120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.558{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107410119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.558{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107410118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.542{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107410117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.542{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107410116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.542{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107410115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.542{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107410114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.542{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107410113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.542{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107410112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.542{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107410111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.542{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107410110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.542{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107410109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.542{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107410108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.542{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107410107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.542{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107410106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.542{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107410105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.542{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107410104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.542{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107410103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.542{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107410102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.542{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107410101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.542{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107410100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.542{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107410099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.542{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107410098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.542{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107410097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.542{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107410096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.542{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107410095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.542{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107410094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.542{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107410093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.542{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107410092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.542{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000107410091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.542{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107410090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.542{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107410089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.542{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107410088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.542{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000107410087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.542{3BF36828-9799-6185-0C00-00000000CC01}8441296C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107410086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.542{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000107410085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.542{3BF36828-9799-6185-0C00-00000000CC01}8441296C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.542{3BF36828-9799-6185-0C00-00000000CC01}8441296C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.542{3BF36828-9799-6185-0C00-00000000CC01}8441296C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.542{3BF36828-9797-6185-0500-00000000CC01}420536C:\Windows\system32\csrss.exe{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107410081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.542{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107410080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.528{3BF36828-A57A-618E-6411-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107410079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.417{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5ADD8E4E91CD4614E3CE3547BC8B3D4,SHA256=AD744E1C2630AD1E3386CDAA4D8449DBCD66D3CB9E0ACBF17F0378AC408D6061,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:46.214{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E7E36D3A2ED456B9525DCB22858FAFF,SHA256=251CAF60C77432472259C320F8290F1483BFCC99006D21801A63D9A4FA1727AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107410238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.966{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107410237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.966{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107410236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.966{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107410235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.950{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107410234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.950{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107410233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.950{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107410232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.950{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107410231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.950{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107410230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.950{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107410229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.950{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107410228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.950{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107410227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.950{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107410226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.950{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107410225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.934{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107410224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.934{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107410223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.934{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107410222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.934{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107410221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.934{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107410220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.934{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107410219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.934{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107410218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.934{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107410217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.934{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107410216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.934{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107410215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.934{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107410214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.934{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107410213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.934{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107410212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.934{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107410211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.934{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107410210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.934{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107410209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.934{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107410208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.934{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107410207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.934{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107410206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.934{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000107410205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.934{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107410204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.934{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107410203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.934{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000107410202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.934{3BF36828-9799-6185-0C00-00000000CC01}8441296C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.934{3BF36828-9799-6185-0C00-00000000CC01}8441296C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.934{3BF36828-9799-6185-0C00-00000000CC01}8441296C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.934{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.919{3BF36828-9799-6185-0C00-00000000CC01}8441296C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107410197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.919{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107410196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.919{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107410195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.919{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107410194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.919{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x8000000000000000107410193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.919{3BF36828-9797-6185-0500-00000000CC01}420412C:\Windows\system32\csrss.exe{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107410192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.919{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107410191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.904{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000107410190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.903{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.903{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.903{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.903{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.903{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107410185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.528{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2376C86D8EC5F849B752042E4FE120C,SHA256=9FC9B795A89AB505D35EAAF6E3FA8F9398CD2E36BF8834395CF28E7B5E546BA2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.528{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C99F47C8C8786B7211F34E48FDEC23C4,SHA256=F79F67C056A55FA3E5E28354CCA1D2B0D3D27DCF3FF55E6454BFB024B4B174B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905877Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:47.371{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAB7F1534E13A926D6E1E841E537A7EE,SHA256=C5084D25BD556B78FA1A94FB5D233C0F007183A8630918C0CFABBE78E3B43019,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905876Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:47.371{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B2D9E342855E545BAABEB6BC9041042,SHA256=E29E4161C5DB8ACEE3620D878A3C63F83CE58F47705D47D340C4D929B6B08315,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905875Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:47.371{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB7DC7579A1BA5737BF0DC2BCED2D7DC,SHA256=3965851A8CBCBD695864F834C31FA114991D451DEAA0974AF75A160A822995CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000107410183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.434{3BF36828-A57B-618E-6511-01000000CC01}58083400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107410182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.434{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107410181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.434{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000107410180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.294{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25F14AB75363FBE15CDD7C0026F9938F,SHA256=10B1BCD56DDEDFB9BA24E3C15E7898A3BEADD8638D1A23E7B4AB60C0C67B4D69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107410179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.247{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107410178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.247{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107410177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.247{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107410176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.247{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107410175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.247{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107410174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.247{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107410173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.247{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107410172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.247{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107410171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.247{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107410170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.231{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107410169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.231{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107410168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.231{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107410167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.231{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107410166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.231{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107410165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.231{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107410164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.231{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107410163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.231{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107410162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.231{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107410161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.231{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107410160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.231{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107410159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.231{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107410158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.231{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107410157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.231{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107410156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.231{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000107410155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.231{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107410154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.231{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107410153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.231{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107410152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.231{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107410151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.231{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107410150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.231{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107410149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.231{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107410148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.231{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107410147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.231{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107410146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.231{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107410145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.231{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107410144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.231{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000107410143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.231{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107410142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.231{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107410141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.231{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107410140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.231{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107410139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.231{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x8000000000000000107410138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.231{3BF36828-9799-6185-0C00-00000000CC01}8441296C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.231{3BF36828-9799-6185-0C00-00000000CC01}8441296C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.231{3BF36828-9799-6185-0C00-00000000CC01}8441296C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.231{3BF36828-9799-6185-0C00-00000000CC01}8441296C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.231{3BF36828-9797-6185-0500-00000000CC01}420436C:\Windows\system32\csrss.exe{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107410133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.231{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107410132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:47.216{3BF36828-A57B-618E-6511-01000000CC01}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000107410131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:54.640{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61682-false10.0.1.12-8000- 23542300x800000000000000055905878Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:48.137{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB6759C68BE89F24ECE08288858B3AA6,SHA256=52784E0B117063A3A64ACAC7C6AFD1A3FC6685791DB937885D9C693B7E275B42,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107410298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.981{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107410297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.981{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000107410296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.950{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9EED35AEE4AEF1E5DB4B7A5D803514E4,SHA256=93C24F050927DFE517CB21EB9EF34ADE52994468E9E067E87CE898B15061389E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000107410295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.903{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.903{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.903{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.903{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.903{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107410290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.825{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107410289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.825{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107410288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.825{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107410287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.825{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107410286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.825{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107410285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.825{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107410284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.825{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107410283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.825{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107410282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.809{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107410281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.809{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107410280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.809{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107410279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.809{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107410278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.809{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107410277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.809{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107410276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.809{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107410275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.809{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107410274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.809{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107410273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.809{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107410272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.809{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107410271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.809{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107410270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.809{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107410269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.809{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107410268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.809{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107410267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.809{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107410266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.809{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107410265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.809{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107410264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.809{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107410263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.809{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107410262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.809{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107410261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.809{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107410260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.809{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107410259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.809{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107410258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.809{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107410257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.809{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107410256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.809{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000107410255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.809{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 23542300x8000000000000000107410254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.809{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C63D9ED7EE78C3B811589A119D2F7263,SHA256=2D362BD46AF53782C942C3294E2E0E7772C2E9896E9FB13BFFB3E6983CC38D51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000107410253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.809{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107410252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.809{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107410251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.809{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107410250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.809{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107410249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.809{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x8000000000000000107410248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.809{3BF36828-9799-6185-0C00-00000000CC01}8441296C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.809{3BF36828-9799-6185-0C00-00000000CC01}8441296C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.809{3BF36828-9799-6185-0C00-00000000CC01}8441296C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.809{3BF36828-9799-6185-0C00-00000000CC01}8441296C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.809{3BF36828-9797-6185-0500-00000000CC01}420536C:\Windows\system32\csrss.exe{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107410243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.809{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107410242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.795{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000107410241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.309{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107410240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.309{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107410239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.309{3BF36828-A57B-618E-6611-01000000CC01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000107410353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.966{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71B0FF9A6F39E38A3D5D0FC44329B728,SHA256=6938C2937549F466CD0EFEFAB62FAAEF0BA7ED3F74348BEE23490544A6727925,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107410352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.684{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000107410351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.669{3BF36828-A57D-618E-6811-01000000CC01}56044180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107410350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.669{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107410349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.669{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000107410348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.606{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D98FD6EFC92D5333C08CBCC6781FB07,SHA256=4D7098C86232D10A7CDC8B81388DEF9FC2EBE54E1854297659B6F328780FB84E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107410347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.512{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107410346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.512{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107410345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.512{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107410344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.512{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107410343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.512{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107410342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.512{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107410341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.512{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107410340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.512{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107410339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.497{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107410338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.497{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107410337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.497{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107410336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.497{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107410335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.497{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107410334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.497{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107410333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.497{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107410332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.497{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107410331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.497{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107410330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.497{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107410329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.497{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107410328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.497{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107410327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.497{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107410326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.497{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107410325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.497{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107410324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.497{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107410323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.497{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107410322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.497{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107410321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.497{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107410320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.497{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107410319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.497{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107410318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.497{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107410317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.497{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107410316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.497{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107410315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.497{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107410314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.497{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107410313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.497{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000107410312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.497{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107410311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.497{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107410310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.497{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107410309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.497{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000107410308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.497{3BF36828-9799-6185-0C00-00000000CC01}8441296C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107410307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.497{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000107410306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.497{3BF36828-9799-6185-0C00-00000000CC01}8441296C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.497{3BF36828-9799-6185-0C00-00000000CC01}8441296C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.497{3BF36828-9799-6185-0C00-00000000CC01}8441296C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.497{3BF36828-9797-6185-0500-00000000CC01}420536C:\Windows\system32\csrss.exe{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x800000000000000055905879Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:49.152{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE4A1846483D2BA98DFF066DE8052DF2,SHA256=79575732A13A55FD288A4E42BDD307347FEB8569AD6F25AB8E1D25C1BFCDE398,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000107410302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.497{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107410301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.482{3BF36828-A57D-618E-6811-01000000CC01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000107410300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.997{3BF36828-A57C-618E-6711-01000000CC01}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000107410299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:48.997{3BF36828-A57C-618E-6711-01000000CC01}59803572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055905881Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:50.168{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3945D3A86AF6FF14AF59E15931C8895E,SHA256=6985BDAB612499492C8F4A695AA52C058F09A13C04463F53D6324CA74E53B5BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000107410462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.903{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.903{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.903{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.903{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.903{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107410457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.809{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107410456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.809{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107410455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.809{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107410454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.809{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107410453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.809{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107410452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.809{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107410451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.809{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107410450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.779{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107410449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.779{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107410448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.762{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107410447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.762{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107410446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.762{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107410445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.762{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x8000000000000000107410444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.762{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107410443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.762{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107410442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.762{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107410441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.762{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107410440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.762{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107410439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.762{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107410438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.762{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107410437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.762{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107410436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.762{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107410435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.762{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107410434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.762{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107410433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.762{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107410432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.747{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107410431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.747{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107410430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.747{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107410429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.747{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107410428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.747{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107410427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.747{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107410426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.747{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000107410425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.747{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107410424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.747{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107410423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.747{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107410422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.747{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000107410421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.732{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107410420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.732{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107410419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.732{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107410418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.732{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107410417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.732{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x8000000000000000107410416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.732{3BF36828-9799-6185-0C00-00000000CC01}8441296C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.732{3BF36828-9799-6185-0C00-00000000CC01}8441296C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.732{3BF36828-9799-6185-0C00-00000000CC01}8441296C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.732{3BF36828-9799-6185-0C00-00000000CC01}8441296C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.732{3BF36828-9797-6185-0500-00000000CC01}420436C:\Windows\system32\csrss.exe{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107410411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.732{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107410410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.717{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000107410409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.216{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107410408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.216{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107410407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.216{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000107410406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.059{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107410405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.059{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107410404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.059{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107410403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.059{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107410402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.059{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107410401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.059{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107410400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.059{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107410399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.059{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107410398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.059{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000107410397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.044{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107410396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.044{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107410395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.044{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107410394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.044{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107410393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.044{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107410392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.044{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107410391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.044{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107410390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.044{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107410389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.044{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107410388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.044{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107410387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.044{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107410386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.044{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107410385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.044{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107410384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.044{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107410383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.044{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107410382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.044{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107410381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.044{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107410380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.044{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107410379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.044{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107410378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.044{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107410377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.044{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107410376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.044{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107410375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.044{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000107410374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.044{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107410373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.044{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000107410372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.044{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000107410371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.044{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000107410370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.044{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000107410369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.044{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107410368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.044{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107410367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.044{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000107410366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.044{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107410365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.044{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107410364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.044{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107410363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.044{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107410362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.044{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x8000000000000000107410361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.044{3BF36828-9799-6185-0C00-00000000CC01}8441296C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.044{3BF36828-9799-6185-0C00-00000000CC01}8441296C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.044{3BF36828-9799-6185-0C00-00000000CC01}8441296C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.028{3BF36828-9799-6185-0C00-00000000CC01}8441296C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.028{3BF36828-9797-6185-0500-00000000CC01}420436C:\Windows\system32\csrss.exe{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107410356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.028{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107410355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:50.014{3BF36828-A57E-618E-6911-01000000CC01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107410354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:49.997{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62C0765126F92D04909112C1199AE2D7,SHA256=45A53CCD0DEFEEB4A27764C8C018B41A27F9925C238E608EEE859A77D02AE53A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055905880Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:28.565{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62997-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055905882Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:51.184{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F34DAE5F4A2D5BB6912A29E12E9FEE74,SHA256=FA515F3C928C4C77A49DF937794537803AB4426FFD7D2C0E20680E6218FE788A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:51.262{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82D4F04C4688357D729A2961CED71203,SHA256=F2AE88FAB98343D6EFFAA832380F3B372C69D74C79A0023C6B2FEF71A3E3485A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:51.231{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16F5574BC9593A135EB64E8A13968B23,SHA256=4E83180994664719B1EA39C5D64392C881FC3F49E72052E4F5E3D9E9AA7812A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:51.231{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55E7357A2DD194BE0306F6E1F25149C7,SHA256=3F54F667AB68A3C4AF4BBC3F0EEC35558EE8041795F666446124155EEB29D000,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107410465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:51.060{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107410464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:51.044{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107410463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:51.044{3BF36828-A57E-618E-6A11-01000000CC01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000055905883Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:52.199{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6565CA784DFF5623FA078EEE4EF6A380,SHA256=DCB27F4954CF5F343D34B4131B14007D21989ABD495B204A6D4F9701CA918C34,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:52.091{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52678523717A82337A971435739FFB29,SHA256=3D41E96F9FD0CF9C81F60E7A03CF4C1FDAE1BB7AC175434AFA823331859E1973,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:52.044{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5390C5B88C701FCA30F06529A13DFD4,SHA256=BD16AB497D746161DBDE015BF0472A85C3C0396872E887AA9DA6E200BA22A743,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:53.276{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E07BEEF0AA6AF738D1D961616CD913E,SHA256=A12104298F1754A62042B5DC5AFE28D70BA28432D8BF6B4710C610893D17CEA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905884Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:53.215{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=383938F14F684EA8CD6E069149156926,SHA256=819F0CBED3C47AF1866D592222B29BCFD59BC52C846124F2223B7AE9C7A7B207,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107410471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:00.487{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61683-false10.0.1.12-8000- 23542300x8000000000000000107410473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:54.296{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCA879AB1302B407F7FD07BD92DB03AE,SHA256=E4E339F9622A2027D06B44766113F891131D15F306282530EB7F68C1D27A70BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905885Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:54.246{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2C616AB5FB677D21911621C51214CD3,SHA256=FF6CE5F7434345DB13FD2960427D01B33668AB4F7F9306C946E751C3EC88D999,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:55.531{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8276350023A3EDA2C830D0CF892CE1FB,SHA256=FE7EF0B843E78AC0B5BE0E89F225825A9B15B96662AAB01CE0C4D7D71931F30E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905886Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:55.262{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4734D2B1BF8C351CCEBD4488222B7B4,SHA256=DA196648E18E26B37AE08C080A23EB63C293D7A85CAF84357159E5BFBA57444E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905901Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:56.496{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=396DFD01E97D1AC163D74BD45A7628B3,SHA256=0CA1E89AFDC03FD5101251A19D6A225CF857C5D304044679FB3B3E6CEBF802A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:56.593{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E76528F197555A76EC8DE55CE61E1B93,SHA256=72005BD5E9D0BEF98DDD7A831BA4C370131F32C6F741EA23B126AFCE36D2F3E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055905900Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:56.402{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A584-618E-C842-01000000CA01}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905899Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:56.402{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905898Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:56.402{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905897Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:56.402{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905896Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:56.402{B81B27B7-F665-6183-0500-00000000CA01}412428C:\Windows\system32\csrss.exe{B81B27B7-A584-618E-C842-01000000CA01}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055905895Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:56.402{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905894Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:56.402{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905893Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:56.402{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905892Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:56.402{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905891Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:56.402{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905890Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:56.402{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905889Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:56.402{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A584-618E-C842-01000000CA01}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055905888Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:56.372{B81B27B7-A584-618E-C842-01000000CA01}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000055905887Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:34.596{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62998-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055905918Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:57.684{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1713272C3F4D1EA6A2110B9A242305C5,SHA256=8D4E6BE68ECF8FA1B2BF766C152E3FE950BE244A1CB022F574FB44FF28F6FCB1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:57.625{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C0DAAC99C8815D497FE7908E2532F8A,SHA256=7AA70EE01E3A58891E44C5D4A963F8A58530ABAB012CBF7B65941F54BE5E3101,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905917Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:57.606{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50EE531774028F96BA6CF42AB1035FDC,SHA256=0068177BDB3F1CDFCCCE45F8CF80C156EB4317726F090C0B73F58009DEC86100,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905916Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:57.606{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAB7F1534E13A926D6E1E841E537A7EE,SHA256=C5084D25BD556B78FA1A94FB5D233C0F007183A8630918C0CFABBE78E3B43019,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055905915Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:57.246{B81B27B7-A585-618E-C942-01000000CA01}40326052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905914Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:57.090{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A585-618E-C942-01000000CA01}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905913Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:57.090{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905912Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:57.090{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905911Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:57.090{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905910Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:57.090{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905909Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:57.090{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905908Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:57.090{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905907Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:57.090{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905906Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:57.090{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905905Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:57.090{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905904Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:57.090{B81B27B7-F665-6183-0500-00000000CA01}412532C:\Windows\system32\csrss.exe{B81B27B7-A585-618E-C942-01000000CA01}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055905903Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:57.090{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A585-618E-C942-01000000CA01}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055905902Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:57.075{B81B27B7-A585-618E-C942-01000000CA01}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107410477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:57.171{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=296A760CB7ECE7B33658AA62AF78944D,SHA256=F33AFB24CB05CD5687E90333F2A7FD66D995883276969D84022F976126E04FBA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:57.171{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA3ECEDE38CC7FD535EE3E1037616554,SHA256=488E5484E50A2A1A5DE3504F007ECEABF0578ADF881FD070E0670513938316E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905919Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:58.715{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2AC994244BCFE5BB03C2B193FF23B70,SHA256=FAF09072E06DF74B35B8F7AD1F17B46AD9954FAC2FB7532A31285E14F4B22E68,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:58.640{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CFA6961B92FFC4D0508723A810653FD,SHA256=D7D34545D44E7D9DDAEC10100BCCF8401AC671530AE9F151BD83A293EFF747E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107410479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:05.597{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61684-false10.0.1.12-8000- 23542300x800000000000000055905920Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:59.731{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EBA504D093708177F78E88FE6207679,SHA256=4ED36883353449ED06DC86841744AB0F46AC34BCE7787660DCF06C0FFEC2534B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:33:59.828{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E880F162B866BD0D12016011063B85C9,SHA256=7645D2EC18BF30376E7A5486FBBBEAF7C1BA9450BA67C65A37489840D7BD7DBB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055905950Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:00.887{B81B27B7-A588-618E-CB42-01000000CA01}28722848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905949Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:00.715{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A588-618E-CB42-01000000CA01}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905948Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:00.715{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905947Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:00.715{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905946Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:00.715{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905945Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:00.715{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905944Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:00.715{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905943Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:00.715{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905942Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:00.715{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905941Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:00.715{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905940Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:00.715{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905939Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:00.715{B81B27B7-F665-6183-0500-00000000CA01}412532C:\Windows\system32\csrss.exe{B81B27B7-A588-618E-CB42-01000000CA01}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055905938Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:00.715{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A588-618E-CB42-01000000CA01}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055905937Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:00.700{B81B27B7-A588-618E-CB42-01000000CA01}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x800000000000000055905936Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:34:00.621{B81B27B7-F666-6183-1200-00000000CA01}308C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7d7eb-0x7aadd706) 23542300x800000000000000055905935Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:00.262{B81B27B7-F666-6183-1100-00000000CA01}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=907D1ACFD6C3B6C306B14E9D33BC5573,SHA256=117AFB2C68557C8EFC0DE264281CB7AA9DE6A45B575CE18E69F0792C1FAA4AC3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055905934Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:00.215{B81B27B7-A588-618E-CA42-01000000CA01}2004896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905933Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:00.043{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A588-618E-CA42-01000000CA01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905932Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:00.027{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905931Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:00.027{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905930Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:00.027{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905929Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:00.027{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905928Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:00.027{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905927Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:00.027{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905926Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:00.027{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905925Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:00.027{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905924Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:00.027{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905923Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:00.027{B81B27B7-F665-6183-0500-00000000CA01}412532C:\Windows\system32\csrss.exe{B81B27B7-A588-618E-CA42-01000000CA01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055905922Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:00.027{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A588-618E-CA42-01000000CA01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055905921Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:00.013{B81B27B7-A588-618E-CA42-01000000CA01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000107410483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:00.578{3BF36828-9799-6185-1600-00000000CC01}12724584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2E00-00000000CC01}2972C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:00.578{3BF36828-9799-6185-1600-00000000CC01}12724584C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2E00-00000000CC01}2972C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000055905966Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:39.705{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local62999-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000055905965Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:01.309{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A589-618E-CC42-01000000CA01}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905964Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:01.309{B81B27B7-F665-6183-0500-00000000CA01}412532C:\Windows\system32\csrss.exe{B81B27B7-A589-618E-CC42-01000000CA01}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055905963Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:01.309{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905962Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:01.309{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905961Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:01.309{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905960Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:01.309{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905959Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:01.309{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905958Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:01.309{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905957Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:01.309{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905956Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:01.309{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905955Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:01.309{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055905954Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:01.309{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A589-618E-CC42-01000000CA01}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055905953Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:01.294{B81B27B7-A589-618E-CC42-01000000CA01}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055905952Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:01.246{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50EE531774028F96BA6CF42AB1035FDC,SHA256=0068177BDB3F1CDFCCCE45F8CF80C156EB4317726F090C0B73F58009DEC86100,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905951Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:01.152{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B6EFAAFDAEDE52765A139E03DD6E6E6,SHA256=928AD3B904D4954A99FBCD1678100B5D027EDCA25F39883B36509DB09F3B012D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:01.625{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=296A760CB7ECE7B33658AA62AF78944D,SHA256=F33AFB24CB05CD5687E90333F2A7FD66D995883276969D84022F976126E04FBA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:01.046{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1DB56DBA23AC9CF8839B8F7174D5C1C,SHA256=95A441F01552EC0D84ACD7E2B2243FEC29A98638087DF8A1F800865475BAC385,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055905970Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:41.111{B81B27B7-F666-6183-1200-00000000CA01}308C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-987.attackrange.local123ntpfalse168.61.215.74-123ntp 354300x800000000000000055905969Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:41.111{B81B27B7-F666-6183-1200-00000000CA01}308C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-987.attackrange.local123ntpfalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal123ntp 23542300x800000000000000055905968Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:02.356{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FBC52945257487D8946D521184291A8B,SHA256=D4CC4CDA42C1410277F1B5551259ECE59031954D1100C0B5ABC58AE26D28AA17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905967Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:02.106{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78C284AD0B350D75C83FD185C54172C3,SHA256=79F7CF63605CB08BE0F4906CEB2C8C5DBD25BB93D13DC0C51BB30F008E749268,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107410487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:10.032{3BF36828-9799-6185-1000-00000000CC01}444C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-128.attackrange.local123ntpfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal123ntp 23542300x8000000000000000107410486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:02.063{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1E45EF8CD7E122553B3DF2238A86195,SHA256=980976957EC305D9B7251DD197AF30CAF75E43959102E3B11F2102686E61E71B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905971Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:03.309{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61B2E2B09ECA4B70AD0A46BB80054AA5,SHA256=9DC87A15BBEC96072F2F24E0856A1317D1A75BB6B209EF94A92F3E0BF3EA8D54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107410490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:11.472{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61685-false10.0.1.12-8000- 23542300x8000000000000000107410489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:03.078{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7113D1AA4E16AE15A06A882815FF543D,SHA256=46BFBE7392E7B37AFF706A76C1BE8DC813F7FB003DD27822AFB4B0C37D519A2D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:03.078{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D6E8C2689D88148F60375426A2E54F5,SHA256=D8354F544015295F890649BF1AC704E2C5465E3DD8E66DDA180610E799025191,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905972Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:04.371{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8922A905F66D236A4ED531B7D69C391F,SHA256=0428DDB5FDC51E6D52AED4D67BBF8AE954ADA7221E014DD8C2C8C153FCE3D94D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:04.078{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDABD2FF5DC75B40A92EA6BFC20F4E26,SHA256=F865A15643E9F7E8BD3A08F51174CCF33EECC7F0FD36909B1F8325B7E8848509,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905973Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:05.403{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B056D171777FBD1F39C7861D27971D37,SHA256=0217D6D83056EE2A42430C13967855E229A77E02930942FF386EEFF28DA57014,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:05.078{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1956602B80ABF32A6E528759450F3892,SHA256=A59FDC41C1EFAA944AC8196E7B70BF00579576D066C0F8B43D0A7E34536A296D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055905975Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:45.611{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local63000-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055905974Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:06.418{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD5DDAA180CA885A79F118E77475921D,SHA256=6C4A909AC09DE5D58D5F4B7827707B1CD8494FB9FFB719DC5DD06CCCB861F4E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000107410496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:06.734{3BF36828-9797-6185-0B00-00000000CC01}6361884C:\Windows\system32\lsass.exe{3BF36828-9792-6185-0100-00000000CC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000107410495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:06.406{3BF36828-9797-6185-0B00-00000000CC01}6364356C:\Windows\system32\lsass.exe{3BF36828-9792-6185-0100-00000000CC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000107410494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:06.312{3BF36828-989D-6185-BF00-00000000CC01}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:06.078{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65E9DCF44D32DE21E24B912FED12857A,SHA256=CBFE78E30A9C0FCB88BD689D110382EAFE8540E6A59158CFFF403F5EADFB6770,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905976Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:07.429{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7250AD2F9744B1714C3C6C1D7809BCBA,SHA256=D35A7BB5B094C15A7483A0CEC5C2995720A98EE8D5481645D8EB3D9303EC9DEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107410500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:15.504{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61686-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000107410499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:15.504{3BF36828-97A9-6185-2800-00000000CC01}2876C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61686-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x8000000000000000107410498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:07.109{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B378AE945DB39D8B3CF1570E56D5848,SHA256=F770925936FD9954A63B12A3D7180CDF025753FD687E4646E83AD0C7417E5AB1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:07.078{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DD500B768343F2048B066EA5CB64472,SHA256=478B70828D116352F9DFCA9DAAD47D11E38937799557083321A0B76892543CC5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905977Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:08.476{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D82F8DE91288BB8F8842AA3C7C0FFC3,SHA256=A4D0436A2326392914963C7116D8DFAEFFF0283ABFDA8C9C002C9337F55EDA70,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:08.211{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA9692FE6CCE7425FC2F405F34B56FF1,SHA256=6FF0AE4DD2AB37FA0412B683846B1C7BD1BA7B0BD0A433C38D946381505E7559,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107410510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:16.166{3BF36828-9792-6185-0100-00000000CC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61691-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 354300x8000000000000000107410509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:16.166{3BF36828-9792-6185-0100-00000000CC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61691-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 354300x8000000000000000107410508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:16.067{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-128.attackrange.local61690-false10.0.1.14win-dc-128.attackrange.local389ldap 354300x8000000000000000107410507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:16.067{3BF36828-9799-6185-1600-00000000CC01}1272C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61690-false10.0.1.14win-dc-128.attackrange.local389ldap 354300x8000000000000000107410506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:16.056{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61689-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x8000000000000000107410505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:16.056{3BF36828-9799-6185-1600-00000000CC01}1272C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61689-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x8000000000000000107410504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:15.833{3BF36828-9792-6185-0100-00000000CC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61688-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 354300x8000000000000000107410503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:15.833{3BF36828-9792-6185-0100-00000000CC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61688-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 354300x8000000000000000107410502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:15.723{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61687-false10.0.1.12-8089- 23542300x8000000000000000107410501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:08.086{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07932D49B636013296163AB813D50A70,SHA256=2BB101B59B0A161FEF5D50689D91A9098F8C86BDC4C01F73F35254537911FEF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905978Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:09.507{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=936E50D77B708F3A7FAC8715A0591DD9,SHA256=5F219147B8F3327E82FCDD9AB5140C75DEA0B2DB4101C6C375BFE42962D6CD44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107410513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:16.629{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61692-false10.0.1.12-8000- 23542300x8000000000000000107410512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:09.086{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24006D0ACF463B26CBF86AF026F5DCD0,SHA256=F8CC11011D9A14A8B83621CAD0F7E65293839F18D2173BB538FA6C52378E1046,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905979Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:10.523{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3C5F7A2904598175DBA385A5CEBBF11,SHA256=C6CB8EB5CC508C28636086E2C942F13EAF431BF6E2418245578C05C25865286B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:10.086{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=383CC4101D1F9F5C7062492901B8F245,SHA256=328B4CEA139419BA8C8921ECE315832D53877214DAC7C6A94CD70CA5E035A774,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905980Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:11.523{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD711349A67F222AD7A5405A2AD75408,SHA256=537BD6DA472ADE458B443DB52E2AA447D9B37D29AF250C976897030621B3DAEF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:11.086{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E2AB525C97C3B3D1FDF4CAF8C8747FA,SHA256=98143449376F49905D3103D3BEE813C9697B45283565F9FBAEEAB21361048859,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905981Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:12.616{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66A972EFD704D36C7F7838D8EC1B473C,SHA256=8FB31212714ED5E323B968DD80C98B542A877A59286F25CFE803ED50C78F607F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:12.086{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7890BD5D4C69722A595C73555DADE991,SHA256=3200421C034B45C553AD71E07C577B2C330CA0D60834AC04CD697007A826BACC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905983Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:13.851{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BB0A36E75AD930A65D924988B8A36B9,SHA256=536439301FFA937CF411B26E1F7F10EB4FB793DC18FD21581F7DC59590EB7EF1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:13.101{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFBA62B86C7E1925006F86219B6F20E9,SHA256=C265D49A76B6A21985224E7FC302DFD4E9E807B658255D1C49671CA217C45BD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055905982Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:51.638{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local63001-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055905984Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:14.976{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A380611C9386D961239F624F1CA2981,SHA256=E91F98D74831CF37FCC932A7DDEB876953FEDCFB65076831A38CB6BEC390580C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:14.101{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47EE876F9E3F6C83F0591E6B34596058,SHA256=58161ED379EF712D9B15E5642EE990F410C85464D9B9F97F538CF2E1D36FD0F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:14.101{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5257C6C8FFF1E5F3741CE139AF2D744D,SHA256=E7C2F2F2F5FB4E6F79D1F9B8CCFF1562609AAA080C8C7F271F4711DD0B8FE58D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:14.101{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C20AA5274BF92B4ED2E4453F8FD18D4A,SHA256=D2960B937DC4965B1D9121AAA1E3B96EA7AD752B92AE48ED39D4A5EFCE8CAD05,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905985Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:15.991{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=789942F96C5C2EC9DB837F3C3D1B7E07,SHA256=5FC6C31D8D57F7A6EC9323B097BE854C9FC91C43227D03FB25F35B65CF3353E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107410522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:22.512{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61693-false10.0.1.12-8000- 23542300x8000000000000000107410521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:15.101{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB2F0CA2741268A3B39D08FFEED72DD6,SHA256=7B90B2F1853134FAB26B32B20CCF14CCA190F83C741EDE84B2C419995EE1AB69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x8000000000000000107410533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:34:16.914{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000107410532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:34:16.914{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x235ef2a6) 13241300x8000000000000000107410531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:34:16.914{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7d7e3-0x22d33ff5) 13241300x8000000000000000107410530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:34:16.914{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7d7eb-0x8497a7f5) 13241300x8000000000000000107410529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:34:16.914{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7d7f3-0xe65c0ff5) 13241300x8000000000000000107410528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:34:16.914{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000107410527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:34:16.914{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x235ef2a6) 13241300x8000000000000000107410526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:34:16.914{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7d7e3-0x22d33ff5) 13241300x8000000000000000107410525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:34:16.914{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7d7eb-0x8497a7f5) 13241300x8000000000000000107410524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-11-12 17:34:16.914{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7d7f3-0xe65c0ff5) 23542300x8000000000000000107410523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:16.101{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB7ACEC189E8F5F7E15BA078716A48E3,SHA256=C2CBBE2214C8D333FB3A3D27601C210DDE564F4E86BDC0E74401AEB2E0A37889,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000055905986Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:34:16.616{B81B27B7-F666-6183-1200-00000000CA01}308C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7d7eb-0x84368221) 354300x800000000000000055905988Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:33:56.700{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local63002-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055905987Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:17.194{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A9454CBB84CFD603D2237132E37EBF5,SHA256=6AC7BC00D9D864CE6956C6506B45FDA574ED079FFB7973C36DF0F4785D99ADCA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:17.101{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ADC466D068F24EE9A658E8644B92A3D,SHA256=D3B8DD482ED3D5819907BE85562BD0547452248B13FF36321A6B193225A5E405,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905989Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:18.210{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C2C83D6284BAA6C13E9882F46FC6871,SHA256=1A7F201583F4881A57BDD4973F3200E6D6193440D4F79F30D113CCACA9063862,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:18.148{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47EE876F9E3F6C83F0591E6B34596058,SHA256=58161ED379EF712D9B15E5642EE990F410C85464D9B9F97F538CF2E1D36FD0F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:18.101{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2EAD198063861CD5EB36AD4858E4F33,SHA256=6050EC5A27A3C021F4D3B6E73A1B90B14F4C95844BF9C2124AC26C579103CF7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:19.306{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=405480A5F5B22F1B75F293662BE4FBCD,SHA256=22DA92C0CEDD7A064C2E85540E6A0C12CD894977D72FD18C9FA69A870CE904B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905990Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:19.226{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CCC1A3394CBAE51DEA40D73C86BE410,SHA256=8088F62E9281D17C571D5D111EE39394750586D1C0E3335111F0FF8B1C8ECA3A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:19.228{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29CCC675063E159DAF9ADFDFB72EC5A0,SHA256=F680D876E035F48FDD71566D17798A95803DBD840C751302E3A869728C2E5141,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:20.697{3BF36828-9799-6185-1100-00000000CC01}424NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=59944318D6C13F4A595E75789F5F5703,SHA256=2D62A66A2315BEF5F8AB61C621B53EE9A14626EDC1DF1C6EA8C0701D600279DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107410540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:27.637{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61694-false10.0.1.12-8000- 23542300x8000000000000000107410539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:20.306{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D81CFECEF752922D4548BEBC183C565B,SHA256=6862F121FDC25FB987D9B50FD4D9AFA6B39DB3FC090B951DF6D13CD43AD1456D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905991Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:20.245{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=171148E1B18DDAD5ECB5B8C12860C4F4,SHA256=BE5AD027FB8E54415FAC8B87D10C6BA7780F10F33FAC3F63491D3D28C2EBD142,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:21.337{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C0D3A856EB083C59391ED3B1F54F8B3,SHA256=FEB184CF567EFCBF8D412770321D214E7B077A6903E90CA26C54FB1CDEA5A7B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905992Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:21.273{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFB03003314199DECBD8F27CD86140F2,SHA256=C890967A642C2F502F424CDF4404AE5A0C3977B18741E84C3EC5D98C4CC659B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905993Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:22.292{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD75EF455661B4282A021F9181872AF2,SHA256=CF38D6DA86516726A09B6F06D176013A989A97CC938D18315386166592BD4234,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:22.353{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0692B4B6FA7543745785FD74B0794B73,SHA256=A308E719E1506360D5750CFCA714937D49CC6AD74F678EC9538B68C85DDC646F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905995Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:23.324{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E565A37E5BE53C54BCBB065CEB267F6,SHA256=2041874C090CE4DB64C67B2746E34AC2F597188AA1973E199940F354E68169AA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000107410572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:23.587{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:23.587{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:23.587{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:23.587{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:23.587{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:23.587{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:23.587{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-7A0F-01000000CC01}2116C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:23.587{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:23.587{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:23.587{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:23.587{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:23.587{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:23.587{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957F-618E-7B0F-01000000CC01}2096C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:23.587{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:23.587{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:23.587{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:23.587{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:23.587{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:23.587{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:23.587{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:23.587{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:23.587{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:23.587{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:23.587{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:23.587{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:23.587{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:23.587{3BF36828-9799-6185-0D00-00000000CC01}904928C:\Windows\system32\svchost.exe{3BF36828-957E-618E-790F-01000000CC01}5828C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107410545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:23.384{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4DAF94DED9008097CD9DB738F4852E3,SHA256=E29F59B99F8F44847783334A363467E68A0BE7E7DDE9B197C2926437D96BC6E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055905994Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:01.701{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local63003-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000107410544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:23.212{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DCD10ADAB0F4B72E5DBA3446E6CB6AAE,SHA256=921326AC728B8D05256EA1342FC2DAB2A1DE12E25EAEA48C3C004D0B3B641B7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:24.540{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAC684CA5827C3BF94539B3DB9882726,SHA256=6A4F1DA1CE58729406D3F2C0B84B6A341B12CE2406A8357BB22621ACB9DE9D88,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905996Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:24.355{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6473C0F9DD53B6C78461566966B4A2F0,SHA256=2E36501E55A82D4C1D6652A24B1A61A5D5E1F0B9A3C3C76D187E7FE55BBC3B1D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107410576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:33.654{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61695-false10.0.1.12-8000- 23542300x8000000000000000107410575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:25.697{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47C8F2B4BB17CE8039A8F6926ABD2F02,SHA256=771C9D0EE6A896B2A32F1882F0300E89AE88FC03F29F361430A998BC6331609D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905998Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:25.370{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C40A0B065CE1D39F07D3A2595075E7DE,SHA256=C0717F3B50D2819F1C28D8E267269CF963C78AB243557C715233CA12B4C552B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:25.259{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20DB5C912C36C723EF06559A3093EA14,SHA256=DFE91B35319B83D470891C4BCC71DBED206A12918D334016FE6608385BB5BA30,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055905997Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:25.058{B81B27B7-F667-6183-2200-00000000CA01}1748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:26.775{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC0472BD5D36FAEB6E06FD57EDA86E87,SHA256=AEBB7D3DEEEE900FD107274797CE67306868EE6817989B7FD2703E18137142E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055906000Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:05.564{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local63004-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000055905999Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:26.402{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4693E9E262D241EBE277FB7C8BA09E7F,SHA256=2D4121DB59F3B456FB1952AA2A4E934208C36DB1863EBFD64FCF5343710A75FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:27.993{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B61DE2E686F1B9A8691B3B427FE1A1D2,SHA256=28CFDAABBD4C919169406C8F37E153E54CFCFE0C81C3F7C3556FAA7EE0280C94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906001Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:27.430{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4140A5066AA4826885F28A71929A99B5,SHA256=D84E08379A70C855AC490AE99BF5172DFCC7ADB756C267B7CCC57083B249B732,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906003Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:28.447{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D66838EE4D8E3CFCC2D31FF73FA8E2AE,SHA256=6B7D50DAC61833D789090758AC9C16493078462F1547B887D00B0F94A027E0EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:28.243{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B9B4AEB6F681EF74C54EDB9F32B8AA1,SHA256=0CBB485875769E4DA230217042441670675CF35EF2C0CD107BA63ED636E4ACE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055906002Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:06.766{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local63005-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 13241300x800000000000000055906029Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:34:29.931{B81B27B7-F666-6183-1400-00000000CA01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\RegisteredSinceBootDWORD (0x00000001) 13241300x800000000000000055906028Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:34:29.931{B81B27B7-F666-6183-1400-00000000CA01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\StaleAdapterDWORD (0x00000000) 13241300x800000000000000055906027Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:34:29.931{B81B27B7-F666-6183-1400-00000000CA01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\CompartmentIdDWORD (0x00000001) 13241300x800000000000000055906026Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:34:29.931{B81B27B7-F666-6183-1400-00000000CA01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\FlagsDWORD (0x00000002) 13241300x800000000000000055906025Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:34:29.931{B81B27B7-F666-6183-1400-00000000CA01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\TtlDWORD (0x000004b0) 13241300x800000000000000055906024Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:34:29.931{B81B27B7-F666-6183-1400-00000000CA01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\SentPriUpdateToIpBinary Data 13241300x800000000000000055906023Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:34:29.931{B81B27B7-F666-6183-1400-00000000CA01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\SentUpdateToIpBinary Data 13241300x800000000000000055906022Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:34:29.931{B81B27B7-F666-6183-1400-00000000CA01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\DnsServersBinary Data 13241300x800000000000000055906021Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:34:29.931{B81B27B7-F666-6183-1400-00000000CA01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\HostAddrsBinary Data 13241300x800000000000000055906020Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:34:29.931{B81B27B7-F666-6183-1400-00000000CA01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\PrimaryDomainNameattackrange.local 13241300x800000000000000055906019Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:34:29.931{B81B27B7-F666-6183-1400-00000000CA01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\AdapterDomainName(Empty) 13241300x800000000000000055906018Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:34:29.931{B81B27B7-F666-6183-1400-00000000CA01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\Hostnamewin-host-987 13241300x800000000000000055906017Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:34:29.931{B81B27B7-F666-6183-1400-00000000CA01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\RegisteredSinceBootDWORD (0x00000001) 13241300x800000000000000055906016Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:34:29.931{B81B27B7-F666-6183-1100-00000000CA01}1000C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x800000000000000055906015Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:34:29.931{B81B27B7-F666-6183-1100-00000000CA01}1000C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\IsServerNapAwareDWORD (0x00000000) 13241300x800000000000000055906014Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:34:29.931{B81B27B7-F666-6183-1100-00000000CA01}1000C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\AddressTypeDWORD (0x00000000) 13241300x800000000000000055906013Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:34:29.931{B81B27B7-F666-6183-1100-00000000CA01}1000C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\LeaseTerminatesTimeDWORD (0x618eb3b5) 13241300x800000000000000055906012Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:34:29.931{B81B27B7-F666-6183-1100-00000000CA01}1000C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\T2DWORD (0x618eb1f3) 13241300x800000000000000055906011Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:34:29.931{B81B27B7-F666-6183-1100-00000000CA01}1000C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\T1DWORD (0x618eacad) 13241300x800000000000000055906010Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:34:29.931{B81B27B7-F666-6183-1100-00000000CA01}1000C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\LeaseObtainedTimeDWORD (0x618ea5a5) 13241300x800000000000000055906009Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:34:29.931{B81B27B7-F666-6183-1100-00000000CA01}1000C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\LeaseDWORD (0x00000e10) 13241300x800000000000000055906008Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:34:29.931{B81B27B7-F666-6183-1100-00000000CA01}1000C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\DhcpServer10.0.1.1 13241300x800000000000000055906007Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:34:29.931{B81B27B7-F666-6183-1100-00000000CA01}1000C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\DhcpSubnetMask255.255.255.0 13241300x800000000000000055906006Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:34:29.931{B81B27B7-F666-6183-1100-00000000CA01}1000C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\DhcpIPAddress10.0.1.15 13241300x800000000000000055906005Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:34:29.931{B81B27B7-F666-6183-1100-00000000CA01}1000C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\DhcpInterfaceOptionsBinary Data 23542300x800000000000000055906004Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:29.478{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBC13D6A7400500F84F05486FB396150,SHA256=A3D72A824AA3C536EB00AD052100948ADB97F352025AE4FAC6AE3ECB34017187,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:29.134{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B66E8A2ABC6EC97BC0B3DBF73885ECF3,SHA256=92236A4D89F2CA73973A4DCF1691073AF3E0EA698C37C55E8AE98EBF8A67788E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906059Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:30.587{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EAF1F22A633EE3C19257710A966CAA1,SHA256=2E1FCB6E88D6E5DF076030CCEF7379F9AE5215E1E1977AC5D75013249FDBFAB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:30.962{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79C6BDBCE74B85CAD8FA17CCE472502A,SHA256=903F72F4012076F94885FA1889D3E0EA7FBAB3E2AF68B50178CB15C28583E516,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:30.134{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D3A6505CBB1F969C38895AB8BE9160B,SHA256=9796623A8C4A987AC034B7E7D6E33B2739E88600C3241062DA3520390D9E5BB1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055906058Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:30.416{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906057Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:30.416{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906056Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:30.416{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906055Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:30.416{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906054Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:30.416{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906053Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:30.416{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906052Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:30.416{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906051Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:30.416{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906050Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:30.416{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906049Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:30.416{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906048Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:30.416{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906047Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:30.416{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906046Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:30.416{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906045Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:30.416{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906044Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:30.416{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906043Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:30.416{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906042Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:30.416{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906041Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:30.416{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51EF-6185-7A2A-00000000CA01}5724C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906040Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:30.416{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906039Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:30.416{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906038Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:30.416{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906037Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:30.416{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906036Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:30.416{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906035Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:30.416{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906034Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:30.416{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906033Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:30.416{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-51F0-6185-7B2A-00000000CA01}5628C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906032Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:30.416{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-C63B-618A-82CE-00000000CA01}5504C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906031Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:30.416{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-C63B-618A-82CE-00000000CA01}5504C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906030Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:30.416{B81B27B7-F665-6183-0D00-00000000CA01}792812C:\Windows\system32\svchost.exe{B81B27B7-C63B-618A-82CE-00000000CA01}5504C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055906060Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:31.603{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF099F10E25A2CBBA2B25EB2AA4BAEA7,SHA256=34F920D8FA9C8213EA54377273A2B39AB2DF8B8E7EDE2E70EB99D605A143E383,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107410586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:39.685{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61696-false10.0.1.12-8000- 354300x8000000000000000107410585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:39.372{3BF36828-97A9-6185-3200-00000000CC01}2360C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal59012- 354300x8000000000000000107410584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:39.369{3BF36828-97A9-6185-3200-00000000CC01}2360C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal53489- 23542300x8000000000000000107410583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:31.134{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C2B4A1801BF035A5BB1CD2060BD9592,SHA256=3E0D648C6C04FA325AD59E9F3CD7FE175E9BB674CEE87F1BBD7298DD4114AA02,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906064Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:32.619{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAA5BAB2C9D5318D8C9E1F4E16EE3319,SHA256=4243C8B590D4764B07796672D5DCB2210819D967F90B4DEF17074C340D288B7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:32.165{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4509686D821798F0B361D9669212075D,SHA256=7FCBB17E0DA46BDEE5103695A109515C928DFC89ABC0EB8C3958AE052AD67287,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055906063Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:10.447{B81B27B7-F666-6183-1400-00000000CA01}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c8a0:787e:898e:ffff-54089-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x800000000000000055906062Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:10.446{B81B27B7-F666-6183-1400-00000000CA01}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:7073:809d:70b7:7bb9win-host-987.attackrange.local54089-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x800000000000000055906061Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:10.436{B81B27B7-F666-6183-1100-00000000CA01}1000C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-987.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.us-west-2.compute.internal67bootps 23542300x800000000000000055906065Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:33.634{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A27F7B57D138DFB485A6CCD29691582,SHA256=DF660E1915E750561BF8479C78226B1E5286FC7F282AA9BFEEEDE5B6A1356DF1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:33.259{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=109501A17D16DE22E1C78A1DD4B96863,SHA256=61A51B4A37197BCF03FE5B66C1C758F2EA8815E4D093ED91C5325A24B78E4198,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906067Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:34.806{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC69E06A4B315E0706662CA336DBFCE2,SHA256=D78BAD4C589B5C8CF092D3DCB72EC8F313A26302AC2DF421746D55B22CAF50AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:34.290{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38656970CF2C0A937F10B8CADD729877,SHA256=8808FA0066C36DA5168270F7B8B55A538C5314182FBBC4BC99486BF4BBEE6A35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055906066Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:12.749{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local63006-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055906069Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:35.962{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E6601F6E3AC00C598E62D46391365F9,SHA256=7367A5FF226453C8E3EB5BE49EDF9FAD9745B1D9789B17800AFB04CC3A4072D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:35.337{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62D1B6DADA478CB897EC19C4C8094FFB,SHA256=5033505D4B4C78BEA43BBE3CE4036B06B647401899EDD76994460F7D651CBE35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055906068Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:35.681{B81B27B7-F665-6183-0B00-00000000CA01}6325844C:\Windows\system32\lsass.exe{B81B27B7-F663-6183-0100-00000000CA01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000107410593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:36.900{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1E4AA163FEE2123D140AC6264930267,SHA256=32CE94E75946F0BCA939EB2313338E09E6C53479075E36D3465FC78959806016,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:36.900{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E12F02065A810E66B10E1F8AB9A2F2A5,SHA256=80650C5E70BAB9F17D94A48F02A5A068693B4DD042E0EB725169C5653E5B2187,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:36.493{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD607ECE75714DF014B2905E719BC407,SHA256=CFAA04CF3B9F8ECE784A49C1D1B57C540565016F53D8748745E9060C85D5898E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107410596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:45.670{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61697-false10.0.1.12-8000- 354300x8000000000000000107410595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:45.111{3BF36828-9792-6185-0100-00000000CC01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal63007-false10.0.1.14win-dc-128.attackrange.local445microsoft-ds 23542300x8000000000000000107410594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:37.618{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B03BE76FE3F367DDC14B04E865BE1588,SHA256=2F7231DD24A1FDB1930FB20DE368F8406BEA9FCAABC574DDF264E3912C602834,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055906071Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:16.189{B81B27B7-F663-6183-0100-00000000CA01}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local63007-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal445microsoft-ds 23542300x800000000000000055906070Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:37.087{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C73B127359737E554AC7D238F3915EDB,SHA256=11166C8A082D0CBA0357C114299671C91DB717E752388DB8DBADEA441C0F0EA2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:38.618{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7B5254DD9FF2A57C6E38F32BEE686CD,SHA256=7519DE06FBA95642E44F51F88193BBD67849742FC502C727B656D667C62FFE7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906072Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:38.103{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1A478B6BB992F8D5E7175B85ED2133D,SHA256=78035F1F52E7D5D452816EDE2A7506FD7C467E2CF659D76DC5607F32A358A2FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:39.618{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCFD313196467E65A30C36D9E26FFB77,SHA256=F95F41B664B70A686DA452EA909462ED435212EE8D8FF220595511E3E7413817,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906073Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:39.119{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DD1604672F479C0E8DD2A182E55A31F,SHA256=9A13E27520EC0E44A929BC0016F365680CEB9FB66001F15A0AC3679C1A20C733,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:40.853{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55F00E5D4B43592E451F600753DC3A0E,SHA256=AA6F28BC00799F1D09732C25F907809202EF9B3F6C82B1F19A9C0BB02427AF11,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055906075Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:18.749{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local63008-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055906074Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:40.134{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F2D61E291E3EB6B99237AA63D950CDD,SHA256=39C11054CB969CD791974E12A8424D20D305F84C231CEB2D979EB7C8B1A5EEA7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:41.900{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3B06217B51A163B3242B39C2F3FF874,SHA256=617753EA411D5B66C6039C1A0C96C313833D595260DDF27EFD3A72E900C2A143,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906076Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:41.322{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B2796E6F3EB06306BE8DD91AC4FC8D3,SHA256=00D31106B06685DBCCD103F8BA70334677540446FE6B4BFFDF5A39C0CA75C1FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:42.946{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF31278016D1FDC2796574C925C25202,SHA256=8DFE0BF6EA4C54957FD5CA32102A7D121711A6037E0C32A4EF9EEDD8FE0B1413,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906077Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:42.353{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB0D6DBBA6F952BFF526BB81F8A576C3,SHA256=A1305259BF911B8A6154CDB5B9753E151AC3399576641B41CC3364758DBD33BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:43.993{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C51567A23EA1BCAAD197CF8089E96EA7,SHA256=402B0365953428DCB947AC6E871661EA2B02ED0FD77B6257F361A8BB9C1D3071,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906078Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:43.384{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E636426831D672B1A53B020B78CD1621,SHA256=FE0C81B4D1A8935A9888EA6332D2389CF4739C7DAAE5F9A1894510F6E7CE45C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:43.290{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9885144788D86DE1A7BAC69E2D8E100,SHA256=5F79963027C1F31F3479D1FC9B8AF220CBFC3A7B36FDD82180CCDA6829D43820,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:43.290{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1E4AA163FEE2123D140AC6264930267,SHA256=32CE94E75946F0BCA939EB2313338E09E6C53479075E36D3465FC78959806016,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906079Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:44.400{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1055245AA6D3AF7E69E053432C1BA07B,SHA256=405BEAE333E9468005F7F5FDA499EF71A235A8E755EA5070F1C2DE1D83EF2F99,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055906081Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:24.558{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local63009-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055906080Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:45.447{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=761A089FCBF11B9DF9353F4BC84E791D,SHA256=3DD257E1DFE6599AA8D232DE0D24C919BBB4EB07C2B87E41331CEB6309A777A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:45.150{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4601B5A93E5E267A4D0FFB24DC59F991,SHA256=3674C0C3843CA9E72F9B1F1E52C7739D262BC283DADAEC5164803523468270F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107410605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:51.638{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61698-false10.0.1.12-8000- 10341000x800000000000000055906119Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:46.900{B81B27B7-A5B6-618E-CE42-01000000CA01}38604416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000055906118Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:34:46.728{B81B27B7-F665-6183-0B00-00000000CA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000055906117Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:34:46.728{B81B27B7-F665-6183-0B00-00000000CA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x29bc9991) 13241300x800000000000000055906116Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:34:46.728{B81B27B7-F665-6183-0B00-00000000CA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7d7e3-0x312f28dc) 13241300x800000000000000055906115Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:34:46.728{B81B27B7-F665-6183-0B00-00000000CA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7d7eb-0x92f390dc) 13241300x800000000000000055906114Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:34:46.728{B81B27B7-F665-6183-0B00-00000000CA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7d7f3-0xf4b7f8dc) 13241300x800000000000000055906113Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:34:46.728{B81B27B7-F665-6183-0B00-00000000CA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000055906112Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:34:46.728{B81B27B7-F665-6183-0B00-00000000CA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x29bc9991) 13241300x800000000000000055906111Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:34:46.728{B81B27B7-F665-6183-0B00-00000000CA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7d7e3-0x312f28dc) 13241300x800000000000000055906110Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:34:46.728{B81B27B7-F665-6183-0B00-00000000CA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7d7eb-0x92f390dc) 13241300x800000000000000055906109Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:34:46.728{B81B27B7-F665-6183-0B00-00000000CA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7d7f3-0xf4b7f8dc) 10341000x800000000000000055906108Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:46.697{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A5B6-618E-CE42-01000000CA01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906107Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:46.697{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906106Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:46.697{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906105Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:46.697{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906104Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:46.697{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906103Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:46.697{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906102Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:46.697{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906101Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:46.697{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906100Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:46.697{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906099Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:46.697{B81B27B7-F665-6183-0500-00000000CA01}412532C:\Windows\system32\csrss.exe{B81B27B7-A5B6-618E-CE42-01000000CA01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055906098Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:46.697{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906097Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:46.697{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A5B6-618E-CE42-01000000CA01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055906096Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:46.683{B81B27B7-A5B6-618E-CE42-01000000CA01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055906095Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:46.478{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C226B5C539F7DA11C87BECBA5C314B46,SHA256=2F2283A3EAAD5E48B14303667F44F89CA0EAEA55ADBC2D40FBCABF6B81E56348,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107410658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.728{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000107410657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.728{3BF36828-A5B6-618E-6B11-01000000CC01}3764420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107410656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.728{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107410655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.728{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000107410654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.572{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107410653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.572{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107410652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.572{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107410651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.572{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107410650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.572{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107410649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.572{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107410648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.572{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107410647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.572{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107410646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.557{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107410645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.557{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107410644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.557{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107410643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.557{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107410642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.557{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107410641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.557{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107410640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.557{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107410639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.557{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107410638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.557{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107410637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.557{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107410636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.557{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107410635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.557{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107410634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.557{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107410633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.557{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107410632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.557{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107410631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.557{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107410630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.557{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107410629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.557{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107410628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.557{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107410627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.542{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107410626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.542{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107410625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.542{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107410624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.542{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107410623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.542{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107410622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.542{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107410621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.542{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107410620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.542{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000107410619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.542{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107410618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.542{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107410617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.542{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107410616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.542{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107410615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.542{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000107410614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.542{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.542{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.542{3BF36828-9797-6185-0500-00000000CC01}420412C:\Windows\system32\csrss.exe{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107410611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.542{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.542{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.542{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107410608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.525{3BF36828-A5B6-618E-6B11-01000000CC01}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107410607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:46.165{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF2551A4DE053A79E293DB821D9112C5,SHA256=C8A9C333A5F3E8D95ACF446B3E09C82C007B509A0762F0787C8F8786933594E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055906094Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:46.118{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A5B6-618E-CD42-01000000CA01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906093Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:46.118{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906092Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:46.118{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906091Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:46.118{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906090Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:46.118{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906089Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:46.118{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906088Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:46.118{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906087Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:46.118{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906086Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:46.118{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906085Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:46.118{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906084Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:46.118{B81B27B7-F665-6183-0500-00000000CA01}4122712C:\Windows\system32\csrss.exe{B81B27B7-A5B6-618E-CD42-01000000CA01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055906083Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:46.118{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A5B6-618E-CD42-01000000CA01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055906082Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:46.104{B81B27B7-A5B6-618E-CD42-01000000CA01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000107410764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.953{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 10341000x8000000000000000107410763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.953{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.953{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107410761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.953{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107410760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.953{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 10341000x8000000000000000107410759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.953{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.953{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.953{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107410756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.953{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107410755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.953{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 23542300x800000000000000055906122Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:47.497{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEDE9B947DA8DC86FC76322E33562315,SHA256=D659B4C9B90C08F33A973D6509CD3D39B7CBC2FF69C10B68BB82BCB83E1A474D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107410754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.936{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107410753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.936{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107410752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.936{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107410751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.936{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107410750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.936{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107410749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.936{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107410748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.936{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107410747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.936{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107410746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.936{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107410745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.936{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107410744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.936{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107410743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.936{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107410742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.936{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107410741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.936{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107410740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.936{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107410739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.936{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107410738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.936{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107410737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.936{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107410736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.936{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107410735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.936{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107410734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.936{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107410733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.936{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107410732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.936{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107410731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.936{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107410730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.936{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107410729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.936{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107410728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.936{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107410727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.936{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107410726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.936{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107410725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.921{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000107410724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.921{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000107410723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.921{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107410722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.921{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107410721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.921{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107410720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.921{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107410719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.921{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x8000000000000000107410718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.921{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.921{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.921{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.921{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.921{3BF36828-9797-6185-0500-00000000CC01}420436C:\Windows\system32\csrss.exe{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107410713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.921{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107410712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.906{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107410711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.468{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9885144788D86DE1A7BAC69E2D8E100,SHA256=5F79963027C1F31F3479D1FC9B8AF220CBFC3A7B36FDD82180CCDA6829D43820,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107410710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.452{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000107410709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.452{3BF36828-A5B7-618E-6C11-01000000CC01}40203160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107410708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.452{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107410707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.452{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000107410706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.358{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B23A8BF9A008ADB0B0EBD286B3552B8,SHA256=4948F3CB99C74C4C9BA796D517481325C6A53AFFB821DBD993689CC2A2BD9FDD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107410705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.249{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107410704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.249{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107410703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.249{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107410702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.249{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107410701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.249{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107410700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.249{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107410699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.247{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107410698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.247{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107410697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.228{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107410696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.228{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107410695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.228{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107410694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.228{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107410693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.228{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107410692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.228{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107410691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.228{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107410690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.228{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107410689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.228{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107410688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.228{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107410687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.228{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107410686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.228{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107410685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.228{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107410684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.228{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107410683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.228{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107410682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.228{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107410681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.228{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107410680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.228{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107410679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.228{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107410678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.228{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107410677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.228{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107410676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.228{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107410675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.228{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107410674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.228{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107410673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.228{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107410672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.228{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107410671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.228{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000107410670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.228{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107410669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.228{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107410668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.228{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107410667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.228{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107410666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.228{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000107410665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.228{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.228{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.228{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.228{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.228{3BF36828-9797-6185-0500-00000000CC01}420536C:\Windows\system32\csrss.exe{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107410660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.228{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107410659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:47.213{3BF36828-A5B7-618E-6C11-01000000CC01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055906121Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:47.103{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F8515510C806FFB177DC76222BE5594,SHA256=123AF99F9419728C130ED704DFBA3471C838ACBA6D0515D9D35C8172CE2FB7E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906120Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:47.103{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F63C961782742053529378BC577CDAFF,SHA256=19A1946D045277BB658E4CB6C84623796756FE7822651461BA4A03BE9B6F9A6B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906123Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:48.528{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A485C4943D459D30F3D3AACCCF47DC21,SHA256=ACB53DD3DF8ABEE5E3EAC33C1DB3CC5C4904099630D487E72F0D5EF92F73CE3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.952{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=899C123061CC7A0CD8B8219E7043B361,SHA256=4B9AE7AA78CE4EEA76A6615CD5B9DB2BDBEFE891B767EC702910CC896B01315B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107410821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.858{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000107410820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.858{3BF36828-A5B8-618E-6E11-01000000CC01}50404600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107410819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.858{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107410818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.858{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000107410817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.624{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107410816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.624{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107410815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.624{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107410814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.624{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107410813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.624{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107410812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.624{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 23542300x8000000000000000107410811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.624{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE9113B27DC456DAEA18DE93C86CA512,SHA256=58EF9D76F98B3526B91A1AC5363DD14D26687596820035B27D63C49B0D4502BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107410810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.624{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107410809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.624{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107410808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.608{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107410807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.608{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107410806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.608{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107410805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.608{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107410804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.608{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107410803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.608{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107410802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.608{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107410801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.608{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107410800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.608{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107410799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.608{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107410798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.608{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107410797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.608{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107410796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.608{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107410795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.608{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107410794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.608{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107410793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.608{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107410792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.608{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107410791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.608{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107410790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.608{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107410789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.608{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107410788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.608{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107410787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.608{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107410786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.608{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107410785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.608{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107410784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.608{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107410783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.608{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107410782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.608{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000107410781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.608{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 10341000x8000000000000000107410780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.608{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107410779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.608{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107410778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.608{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107410777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.608{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107410776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.608{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x8000000000000000107410775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.608{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.608{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.608{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.608{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.608{3BF36828-9797-6185-0500-00000000CC01}420436C:\Windows\system32\csrss.exe{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107410770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.608{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107410769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.593{3BF36828-A5B8-618E-6E11-01000000CC01}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107410768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.264{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EFC5BBD56FFA283922873FA34A43F32,SHA256=AB574DD045ACCBD7B0721559BBDABD7D4E2D10932980735D0AA8C85345E3EC21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107410767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.124{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107410766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.124{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107410765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:48.124{3BF36828-A5B7-618E-6D11-01000000CC01}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000107410918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.983{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107410917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.983{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107410916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.983{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107410915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.983{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107410914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.983{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107410913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.983{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107410912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.983{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107410911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.983{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107410910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.983{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107410909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.983{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107410908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.983{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107410907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.983{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107410906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.983{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107410905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.983{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107410904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.983{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000107410903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.983{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107410902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.983{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107410901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.983{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107410900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.983{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107410899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.983{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107410898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.983{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107410897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.983{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107410896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.983{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107410895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.983{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107410894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.983{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107410893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.983{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107410892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.983{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000107410891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.983{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107410890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.983{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107410889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.983{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107410888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.983{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000107410887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.983{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107410886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.983{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x8000000000000000107410885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.983{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.983{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.983{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.983{3BF36828-9797-6185-0500-00000000CC01}420412C:\Windows\system32\csrss.exe{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107410881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.983{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107410880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.969{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107410879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.780{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB4240DC682FDC9D213F818A3510F9FC,SHA256=BB84B49DC782E451553FC75C9CD094057F65E78BCE445C3683EA4837CD1E63C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906124Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:49.544{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D12E8615990B49623237A72CD24FE48C,SHA256=5DCA00F0B4B12C9CDCAAA61A6F8AFD72A6AEF9ED73009A9678B5BF37B8FC7B75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107410878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.499{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107410877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.483{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107410876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.483{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000107410875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.342{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9168BCACBF88390BFA60875976480DD,SHA256=36993057D41A20B4A8971151434739EAFD04BD6E4057E18749886E79AE1A2458,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107410874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.311{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107410873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.311{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107410872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.311{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107410871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.311{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107410870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.311{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107410869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.311{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107410868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.311{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107410867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.311{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107410866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.296{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000107410865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.296{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107410864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.296{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107410863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.296{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107410862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.296{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107410861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.296{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107410860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.296{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107410859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.296{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107410858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.296{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107410857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.296{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107410856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.296{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107410855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.296{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107410854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.296{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107410853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.296{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107410852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.296{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107410851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.296{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107410850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.296{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107410849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.296{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107410848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.296{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107410847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.296{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107410846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.296{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107410845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.296{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107410844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.296{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107410843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.296{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000107410842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.296{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000107410841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.296{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000107410840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.296{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107410839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.296{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000107410838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.296{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000107410837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.296{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107410836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.296{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107410835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.296{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000107410834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.296{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107410833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.296{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107410832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.296{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107410831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.296{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107410830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.296{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x8000000000000000107410829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.296{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.296{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.296{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.296{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.296{3BF36828-9797-6185-0500-00000000CC01}420436C:\Windows\system32\csrss.exe{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107410824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.296{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107410823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.281{3BF36828-A5B9-618E-6F11-01000000CC01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107410984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.968{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27D8DC0CAA41AB810D3ED0C0CC2F4D26,SHA256=18AD09170AF979488BF60ED0BF41E3D5D3DED976C8ED4EF5DEF38FBF74B519B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107410983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.843{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107410982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.843{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107410981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.843{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000055906125Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:50.575{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54009122CCE99586B1463E0F64D9D4FB,SHA256=BE7512A9D6BFCD82FBB23BD6D59E4752655A5E425C33CB4931AC355EC82EEE6B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107410980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.702{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107410979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.702{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107410978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.702{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107410977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.702{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107410976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.702{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107410975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.702{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107410974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.702{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107410973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.686{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107410972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.686{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107410971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.686{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107410970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.686{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107410969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.686{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107410968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.686{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107410967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.686{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107410966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.686{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x8000000000000000107410965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.686{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107410964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.686{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107410963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.686{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107410962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.686{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107410961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.686{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107410960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.686{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107410959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.686{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107410958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.686{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107410957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.686{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107410956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.686{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107410955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.686{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107410954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.686{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107410953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.686{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107410952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.686{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107410951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.686{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107410950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.686{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107410949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.686{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000107410948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.686{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107410947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.686{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107410946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.686{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107410945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.686{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000107410944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.686{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107410943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.686{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107410942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.686{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107410941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.686{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107410940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.672{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x8000000000000000107410939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.672{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.672{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.672{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.672{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107410935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.672{3BF36828-9797-6185-0500-00000000CC01}420412C:\Windows\system32\csrss.exe{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107410934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.672{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107410933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.656{3BF36828-A5BA-618E-7111-01000000CC01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107410932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.499{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58CA6CE43B3E536D79BB3DD18E7151BA,SHA256=3CF6903156AAB0801AE65B9CDFEB990CFDC111027516CEFA344647A2D5F7AE5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107410931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:57.675{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61699-false10.0.1.12-8000- 10341000x8000000000000000107410930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.139{3BF36828-A5B9-618E-7011-01000000CC01}2204956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107410929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.139{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107410928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.139{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000107410927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.999{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107410926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.999{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107410925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.999{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107410924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.999{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107410923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.999{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107410922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.999{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107410921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.999{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107410920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.999{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107410919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:49.999{3BF36828-A5B9-618E-7011-01000000CC01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 23542300x8000000000000000107410987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:51.858{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=817EF67BACDB6E6BC2FFDB4AFB80588E,SHA256=ACF2480CD3279E5BEACD69A0C0D63A36F1B66BF36EBF98A6282D829CC7A4E754,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055906127Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:30.565{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local63010-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055906126Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:51.607{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98A948957EED5DB48FCB0846D6638249,SHA256=091A39CB2CDEF066E1AEA320DB5A2737EC9A9BED71A763637E54B6E0A02914D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:51.671{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0D90D24FA0476695B18E61F546CFA67,SHA256=F1D41A5F579D5EA232CD5B2E796C3641BAECB3EA3323EB024713B5351FFF0F39,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:50.999{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87ABD66E4C59B126F4897DE5A0BBC665,SHA256=6F16E1AF4BC85A5844DE3FDD4DCB6F225589AB0B9AD54F45A28655C6D4A08D75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:52.858{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77089B45D0C4378EB78BB12026CD8799,SHA256=76C8D2A3287154EB6D0429C5160F7EDDFBFA184C0B2D6614CE91BFECBCB5568E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906128Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:52.622{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F997747ABBF085371F293245D4C1AA0C,SHA256=470AB7C685829CD631A9A2FC673BE3201DF16611A1A180AE1BBEBA072F12AA14,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:53.874{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DBEFBCCD32C71E2AA5B32A46BD5B68A,SHA256=151BE2DCC650C1E9F52BFF7196823B9103BCB9762A97C6DE21865D5E4548E726,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906129Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:53.638{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E9121075B7E838FE1310481185344F7,SHA256=3E5D0B0A21810DE3A5F328DB5B61B4717691A743202A9747C8E85823C7E13A61,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:54.876{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43C7B593DFE672F001ECD33E8E29B709,SHA256=CA1D916AEE98AF5A99F485B36B6F1E1EA97256ECDDE99644D70FFD94504BAABA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906130Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:54.685{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D53D99D8F8BB54B42E1631F02895B96,SHA256=7C230466CC8F3DDCF4A1AF99326F6E828BDB647463CD7564285FFC7844DD9F41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:55.958{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C9BDA561EC38B30A2415C761BD00EE7,SHA256=4A61FAA06310822FAE9749AB6D723B02E71E882A20E472CE42EC6B16240123ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906131Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:55.716{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78A452A02B33FF6B50C5B94F59A07A31,SHA256=1DC89D69D8C33DC753EB730D72357609231B48753248B6FB386D765AA251B957,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:55.173{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=605C3C2A591D2D8C5059E74D175786CC,SHA256=652CF6CD777A321FD5E1127F561F5000580274FE17B76A6C779E0A207FD06DE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:56.973{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E00C963A4EDE422B2EC8FB593E65F625,SHA256=2E138F559894C81AA462BA0A6C1A8A5C9EC8523AA0755AA5172899A9522702D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906145Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:56.732{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=398131C5651CE30EA3EF44B1F7A81EEC,SHA256=94DE740473CF8E0AE6437E2C7B184A8E08E015DFDADD815F356A9E31D61A0FEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055906144Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:56.388{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A5C0-618E-CF42-01000000CA01}4976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906143Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:56.388{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906142Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:56.388{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906141Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:56.388{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906140Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:56.388{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906139Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:56.388{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906138Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:56.388{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906137Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:56.388{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906136Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:56.388{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906135Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:56.388{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906134Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:56.388{B81B27B7-F665-6183-0500-00000000CA01}4122712C:\Windows\system32\csrss.exe{B81B27B7-A5C0-618E-CF42-01000000CA01}4976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055906133Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:56.388{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A5C0-618E-CF42-01000000CA01}4976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055906132Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:56.373{B81B27B7-A5C0-618E-CF42-01000000CA01}4976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055906163Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:57.763{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B03B1C0BC5A1B4FBD882657DE2C3F367,SHA256=AD6193FB3C765F1D8C239590431BC6814225915B0D93384033DE3CC282208442,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107410994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:03.582{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61700-false10.0.1.12-8000- 23542300x800000000000000055906162Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:57.388{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CA44DBEE0093D8D779E9DF79076415B,SHA256=9C232079C1769791ADA1E1E21729A76C5BBF53E796CD5E6839DE09B1C7D0C0CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906161Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:57.388{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F8515510C806FFB177DC76222BE5594,SHA256=123AF99F9419728C130ED704DFBA3471C838ACBA6D0515D9D35C8172CE2FB7E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055906160Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:57.216{B81B27B7-A5C1-618E-D042-01000000CA01}11885308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000055906159Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:35.643{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local63011-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000055906158Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:57.075{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A5C1-618E-D042-01000000CA01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906157Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:57.075{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906156Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:57.075{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906155Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:57.075{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906154Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:57.075{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906153Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:57.075{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906152Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:57.075{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906151Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:57.075{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906150Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:57.075{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906149Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:57.075{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906148Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:57.060{B81B27B7-F665-6183-0500-00000000CA01}412532C:\Windows\system32\csrss.exe{B81B27B7-A5C1-618E-D042-01000000CA01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055906147Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:57.060{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A5C1-618E-D042-01000000CA01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055906146Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:57.060{B81B27B7-A5C1-618E-D042-01000000CA01}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055906164Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:58.794{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA95E6D991EC49902E892B7A26A1D9E7,SHA256=914538ED5B02B8AD8C6927B490264D7AEBAB3CFAD1216755A533CA6A848D3880,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:58.005{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E03F08D869A743B9547CA471501CE382,SHA256=89C6D2343C4E8557310F2BBDD9E2254FCE159057C0ED1E3BD34ABA0BC5204682,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906165Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:59.825{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED655779BAFC32262397D8812D7DFF83,SHA256=2F3E263508CF21CD72A80FEE984F13B4B215C70221F96294DCECB249920AEDBE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:34:59.005{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45A5657F1472C0F13E39FF7220918614,SHA256=86BB2A3BC3EE6A25B9DC438B566DD9E048F23F0EDA6196107851034CE6D896EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055906194Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:00.950{B81B27B7-A5C4-618E-D242-01000000CA01}49964860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107410997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:00.176{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B70607A6586297F592D970EF8A399BB2,SHA256=BE5965FC4D781288B5A8FE125F7BA82CBAE307CDF25E99B32E82204BF45C27C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055906193Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:00.747{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A5C4-618E-D242-01000000CA01}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906192Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:00.747{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906191Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:00.747{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906190Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:00.747{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906189Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:00.747{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906188Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:00.747{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906187Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:00.747{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906186Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:00.747{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906185Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:00.747{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906184Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:00.747{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906183Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:00.747{B81B27B7-F665-6183-0500-00000000CA01}412532C:\Windows\system32\csrss.exe{B81B27B7-A5C4-618E-D242-01000000CA01}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055906182Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:00.747{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A5C4-618E-D242-01000000CA01}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055906181Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:00.732{B81B27B7-A5C4-618E-D242-01000000CA01}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000055906180Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:00.341{B81B27B7-A5C4-618E-D142-01000000CA01}1084184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055906179Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:00.279{B81B27B7-F666-6183-1100-00000000CA01}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C3301DD33B80505A3D85C162A134F70E,SHA256=8881AE3E34C413504E3D80C7E2E105C3D2417E5D07972C2910F63D91410B51D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055906178Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:00.060{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A5C4-618E-D142-01000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906177Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:00.060{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906176Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:00.060{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906175Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:00.060{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906174Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:00.060{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906173Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:00.060{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906172Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:00.060{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906171Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:00.060{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906170Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:00.060{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906169Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:00.060{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906168Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:00.060{B81B27B7-F665-6183-0500-00000000CA01}4122712C:\Windows\system32\csrss.exe{B81B27B7-A5C4-618E-D142-01000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055906167Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:00.060{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A5C4-618E-D142-01000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055906166Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:00.029{B81B27B7-A5C4-618E-D142-01000000CA01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107411000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:01.176{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=772C9C76D553193E3B51E1135C3E5C35,SHA256=87A1150FC90C022CB649E2C9AF38D388B322E13F6324CFE8E760925558E9AC44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055906209Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:01.341{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A5C5-618E-D342-01000000CA01}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906208Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:01.341{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906207Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:01.341{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906206Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:01.341{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906205Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:01.341{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906204Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:01.341{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906203Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:01.341{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906202Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:01.341{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906201Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:01.341{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906200Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:01.341{B81B27B7-F665-6183-0C00-00000000CA01}7321216C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906199Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:01.341{B81B27B7-F665-6183-0500-00000000CA01}4122712C:\Windows\system32\csrss.exe{B81B27B7-A5C5-618E-D342-01000000CA01}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055906198Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:01.341{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A5C5-618E-D342-01000000CA01}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055906197Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:01.328{B81B27B7-A5C5-618E-D342-01000000CA01}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055906196Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:01.325{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF406019A589958A79A000CD25A48CBB,SHA256=04D11BDA35F2F72AB1F9E2BED7191C0E251C2E03073914B1D356FB183C5B282D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906195Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:01.325{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CA44DBEE0093D8D779E9DF79076415B,SHA256=9C232079C1769791ADA1E1E21729A76C5BBF53E796CD5E6839DE09B1C7D0C0CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:01.051{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72DC00F159CB76B603DF76B45CAE3EFC,SHA256=7C49A30F70BFADD0B2DE958591E4A0D078B2747F581E38181F174BBC20583136,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107410998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:01.051{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9F1E1175CA59965FC14CC802AAB6D5D,SHA256=A2CDEA749F15F1EF90A7193CD8E9E01BC8307911F8BADE2F54DC11AD756F518F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906211Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:02.341{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECE3E09CC9608B4E88E0497AF7612A78,SHA256=25A4CED9FDECE3A6B8F07A9B5E1FF44DB4B879058F559EAE2DD0A69EA65D2AC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906210Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:02.153{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=890219E542F864409922212084B3B1A2,SHA256=EB12E9F000349166BB00E37D9773EE1A44B0EBEC105F0D3AD4528B9168E49477,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:02.255{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72DC00F159CB76B603DF76B45CAE3EFC,SHA256=7C49A30F70BFADD0B2DE958591E4A0D078B2747F581E38181F174BBC20583136,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:02.176{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F668C59D047BAA99FD56CF0921013B86,SHA256=D53DC57F54210795A9616B249E785E501FB1F88882281633CD9E0A5A854B5E0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107411001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:09.464{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61701-false10.0.1.12-8000- 23542300x8000000000000000107411005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:03.270{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B83D81B24015395883F075A8EB5822A,SHA256=CC9F85CA82C625FE1729C87488DD4B5BEE067174C112CEE3C307D2894B102A9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:03.176{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=381C246DB995A9EB96B1BF56767D9685,SHA256=C6A276C13D6327BE46605E3333089FDDB4B9EA8D74A2017841736F2161C1F093,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055906213Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:41.674{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local63012-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055906212Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:03.169{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D160B853F233E180803C00622C9B5E08,SHA256=80E5449953B29CC7E0FBD68D935CD6A8CFC2F7B653C588810226FFE659B97903,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:04.176{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B21EEB75133F77D3DDF010C6AAAF9510,SHA256=1F7611490A730C0C14AE1F234F6808F87A6DE58C54DD7EA1AACA50629B0E3387,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906214Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:04.185{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2056122FBF696CCC5371EF829C1F103F,SHA256=30B86FC33C5B1C3FCEF181C1AF82CBBC54FFC3FAF2A109E8018C8B90E9B4806B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906215Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:05.200{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3264A89AF025B81DF4C6844C6155D6DE,SHA256=2D9986B01744F073E7D64D363DF1C6994042E8AB5CC718633B4A5515418AD318,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:05.176{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5741233F10CFF93F3D00037C7D6A1E35,SHA256=0899AEFE09733737B458857C6B216C5C66333D087874DAD5DBB2E1C3A517724B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906216Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:06.216{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=927B27DB8CF9E1E95450B04D8DC1D8C2,SHA256=F70579F70F5ECE1CD36C218618F82829F47A368B9E20FE8BAA0CD34C9642FCBB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:06.333{3BF36828-989D-6185-BF00-00000000CC01}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:06.192{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9551998EC1F157BB0AACEABE5CADA39,SHA256=3894C3864913A4B0CBD14FD5845B6FF227EA6EFCA1F4FFDEBE4713E1134F87AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:06.176{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C468DCB152E9D9969C7E697A3A37A4D,SHA256=03C0F5D40713A08E76A3208225E7528013E202440EFFFD2CDC8E0290AA404730,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:07.371{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97A3F4C5ECDEE825894C23F262F0A34E,SHA256=F1ACF5A84A6DF635F16CF8EB65157468D0C53801D84F80F029C5111E4AE8192B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107411012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:14.619{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61702-false10.0.1.12-8000- 23542300x8000000000000000107411011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:07.176{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEE841899352815580969E3667870839,SHA256=5D9D843F8E22DE0E6D61473981A9090997C2BCA761FFC15C37221B9B827F1D6A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906217Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:07.231{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D7732E861CF646F157B7DDFD7546FA7,SHA256=84232FCD9FBD6695E32876C5CD501A1FB399F3FD854A033F2B683A377D8FC8CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107411017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:15.744{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61704-false10.0.1.12-8089- 354300x8000000000000000107411016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:15.510{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61703-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x8000000000000000107411015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:15.510{3BF36828-97A9-6185-2800-00000000CC01}2876C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61703-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x8000000000000000107411014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:08.183{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8607565CDC5EDAD0E6B9236BF8ECFD21,SHA256=BE6EE7E03D43A3931DAD77F535A71E17FB3E10968F1F367757302F10C41D901E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055906219Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:47.720{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local63013-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055906218Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:08.245{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A3E94A75C841F233586E12D1D52959D,SHA256=C7E45D37884325E55ECCFEB876867A1152AF9ADB03106728AC4D30D85499B9C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906220Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:09.260{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E12E377F57117D47291E0F1B1AA517F0,SHA256=11A77BD8EBFA24F0B9E55224A3DE5B3CC21905E967084781AA4BC372A39D532E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:09.183{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85F0152B1BB304BAC3459D0DD151DADA,SHA256=652BD74CCFA492D74DF5DE4BA62616B6171A987F40219BAB77B660310942F5F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906221Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:10.354{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AED7F5EF130D879CBDB7E61C686B9782,SHA256=2B9C44A32339F158B0C6C5D79190C3D840A0755E24068DB46BC94DBD0261EA83,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:10.183{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5960951B9B558BB59C24BE0C3E106CFC,SHA256=D97B8D901B1DE9B95D598ED2D77F2450284BB758C69A1DB2C13669E2FE80F0FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906222Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:11.588{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58C675B7FFD98F34AEF8FAAAB83B7DC4,SHA256=094F83E17EDE08FD303B33CFCE5A002384CE522B108BB70BF91F24AB7C6D0854,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:11.183{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FE4D658065ADE48D36FC4DE9F244FBE,SHA256=EFD2BAFBDCBCA1557EA9036EB838C8E0780119A6ADB5FEE9E11AD0D23B100A4C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906223Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:12.713{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61F00CB310EF74441D2C2BCE3CC267E6,SHA256=0B504F2E7C72F12D6FF1D99BB7D117A9977047C7215AA7A4222E8A5957E3B1C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:12.183{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51C89F1B7C53EDB35CF0B8AA36D11742,SHA256=41C82020E8FEABA4982E595E743CF11CD7B6F8F51E27FED7110022A1C618F17C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:12.168{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B985B005C5A7056527B6AF7232034F87,SHA256=732FB6F4A70ACD29E50FC36E59B7EB0682CA5FD982928ADE4A2E966870B78628,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906224Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:13.745{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F54A5E18E3CE0E402ECAF7059E012710,SHA256=BC578F591D4D5E539868766595C2FB6592E68163F5D1E18641717D1FE5D1D13A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107411024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:20.595{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61705-false10.0.1.12-8000- 23542300x8000000000000000107411023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:13.183{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C95AE31A654F3728E4E8E3CED3FB8B5A,SHA256=2F97CBC2ABC280EF73FFC6E476502C39E0DEEEC21A098008D96B88E2168DB259,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906225Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:14.776{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82C1CE0052FC2C18D8558DC38B81BCF8,SHA256=EC0BD5952D83E3C05593E26F0724B2D6EB8ECCD79613F694CEBDCFE29D20A81D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:14.183{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04878FA42E78B3440C2CE761E9417918,SHA256=9C3563A9171E29CEB86082F91BE8E52735E144C8007F7C10079FAFF08A3C440B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906227Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:15.792{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFC80710B3C3CBD591A5870C339A8546,SHA256=441BD29095E87F708B4268857795E4E431783382D13A8032DA9F39395C2A184D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:15.199{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29B33AA5B9749A90944BB833469FC2B7,SHA256=FA2CF0811F630C1FEA207F8E3C966A4133259A2491E52E0FDF7706C8A5DE6B72,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055906226Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:53.655{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local63014-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055906228Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:16.807{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3270C6F527B9CBD532D464AEE9AC983F,SHA256=6B3FD5D7C50F11DDAB62925509F5F19B71951DE2743987D1CEB0007C5098CC88,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:16.199{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48EAE44BD5EFF63313C7F04A404EC271,SHA256=ACBE3277CD47B48F8FDBE40842AD5AD92CD80215B8D3C19555234111107BB065,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906229Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:17.854{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DB557E28F2ACB0742FD50E6ACFDFB8B,SHA256=F7CE03BE04BDD1E6A3FC1D38EFBECEAB541B226F9251748D411E8B3001D8EF4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:17.402{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23461280BA7C8A182E1717BA632C0E4F,SHA256=A2DD477D892D1AC1FD2961332795A246B54424B4187CA0C93BB06438A454EA8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:17.402{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19E8DF3CCBD5984F25F3DDFE085BAAD3,SHA256=2C82A6E94916E43560B7B9698AFBF91D8099FBC83855E4CE9E5B04656A03543C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:17.402{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EC9896B69A540EF5427F24F5FB4DD7B,SHA256=D0052471B1C8034047657C6C6C30FE043CC6893227DE00EEF09E9390A4A245F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107411028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:25.595{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61706-false10.0.1.12-8000- 23542300x800000000000000055906230Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:18.854{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34EC1A95BE7245ECD41A220F9A445F17,SHA256=206A9E827E9CB164C0420A6666B1202E1B689BEBF60A8D913BD36B0F39A77B36,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:18.402{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=079360A620049E3DD706B4909CD89CEE,SHA256=EE84FC35050B570E8C7FC2E89FAE8B0F275EBD277359B2928FFA72ECF97F7EE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906231Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:19.901{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C7917FACFE10CFC2C36112F904D9FDB,SHA256=DE0B6501DF656E5B3644C5071BE327925980782831CB382F7257E0E8426364AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:19.465{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5096D50EC17C067B76786F845E896D6B,SHA256=5F2EDFB28C0787DD98E0BFF493DB06F32ADCA5D5C0329C6095A5BDC38BA8EFF2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906233Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:20.963{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=596F9518A6ED6D610CC62C38E9226EDF,SHA256=CAEE728B565E8C4B8A93A34DD31A974E2E9AEE9AD320194064226A4E3E115D37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:20.699{3BF36828-9799-6185-1100-00000000CC01}424NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=79C70EA4D4121FC4E31B5988D43B8A1D,SHA256=EFB44A67DDE62F6FD14721ED140CB802CE8DEA549F3A508F7C2E364EA38FFF39,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:20.496{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E1948503AD4C095E8EF66A2B0B79AA3,SHA256=826C51449FDAB0B3071CE8FCEF8638B92146A4599FB7F138FDE2AFAC297D05ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055906232Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:34:58.733{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local63015-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055906234Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:21.965{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5050CE4F432C0E030034A7E12B53BD31,SHA256=47159338836654DA179BBE5BF33300E1CDF93D20B4F80C9CF5D83513B71CEEDD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:21.543{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA4E06F3AD04A2E61A3C52E0D430E879,SHA256=5998B7576F8528C79A9590AAD8DF0F3BD69B78B0A960C8D08E6AF04C0EC039BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906235Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:22.968{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7EF6029E18ECA827D0BFA30C0A3E813,SHA256=B5F71340C6693C3EF9E898F9B054308EC7A884FFF77CD9CE0F2B567C96C935D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:22.543{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C31DF7AE910CA41641680C6BDAE21C90,SHA256=4AE586EE8091ABA7BA32C9A2A4283C2975771314ECF740B2A2C5875EA48E1E8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:23.543{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D77C7F31E99B369C89801700B21C78C9,SHA256=82EA499C01151DA575D7B1670DEF300C9C650051729D7C42EA7074F94C9CC830,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:23.137{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47186E1E10EA5E87882496DECEC00811,SHA256=AD3FD50226B4D0ADFAA202F95DCE2B978D0C087EA0DF481223C5014CAF98DA89,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:23.137{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23461280BA7C8A182E1717BA632C0E4F,SHA256=A2DD477D892D1AC1FD2961332795A246B54424B4187CA0C93BB06438A454EA8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:24.558{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB6251E9DC7FE90C845FA06566497BD2,SHA256=730E4A0C349D029105C2E938416BB7C0190EA6CA8D0389ED4DA2960BB5E586A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906236Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:23.999{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A711305137CC89223B7FDB6E95554E9,SHA256=FFF3C94A27131752B6BACDB371331E9F84602BF9049E2B1CF27B3920746A7DD1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107411041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:31.501{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61707-false10.0.1.12-8000- 23542300x8000000000000000107411043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:25.558{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED93C7B43198300B3BEB304A940D5D1E,SHA256=5A2C276DFA903A571248834F1F4DD5715F29C1A2AFE77165BEE89BC368F64658,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055906239Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:04.753{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local63016-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055906238Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:25.077{B81B27B7-F667-6183-2200-00000000CA01}1748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906237Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:25.015{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=474D083E4446782EFB561158F9B0568B,SHA256=2A80EB1ABCCEF4E710E3F5C22911C2241936D88A5493D4464FA022F34D7BF0EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:26.637{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=958A529C82E5DC16D827C8012EE0FC35,SHA256=D4EDA415DA00E17EACFACAA3E5157DC19D2F6F26B51D4C595A2A240086C238D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906240Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:26.015{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2684B0E7F5AF9317FA9928E0769372FC,SHA256=E74B6BDE14EBBBBD6BA3F2683A8533C2C9C16B58DD56C17279E40D9B927627AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:27.654{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8687AD85F798C0E9F9AF6DBB265C5AAB,SHA256=E6962D96B07F0DD4DDDF1C886BADB9E95CCB2F87029A07C19717D79DBDB50CFE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055906242Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:05.566{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local63017-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000055906241Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:27.077{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E59886251703C66A683CE27D6764988,SHA256=28560AFE5A44C8EB19F3D4411E46A822B8E5CC18119598B7908707FEC1FE0417,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:28.748{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC44F7C45CF90F815DD26F2A24F9FEF2,SHA256=350DCAC6B54A585599F07BE58B67737884F9BEE438F580BA97619FA97182D7FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906243Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:28.106{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC39A9A63FEFECC784F7E0CCD0EF4480,SHA256=E57D34AEE0A82E3881F493F096320B1147870CF12C0307F73B5FF97703C31528,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107411048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:36.673{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61708-false10.0.1.12-8000- 23542300x8000000000000000107411047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:28.248{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=757895DFE7D652CC9E14FECB39B7B2E3,SHA256=04E3E16644ECA539F2F1488B4604AA1570CC8DC517C8BBDD736BB335B9D0F03A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:28.248{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47186E1E10EA5E87882496DECEC00811,SHA256=AD3FD50226B4D0ADFAA202F95DCE2B978D0C087EA0DF481223C5014CAF98DA89,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:29.810{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4200C7EBF7A76298925F9977CC1BCC33,SHA256=1CD18B95B199EF532E16B294D3A1775561DD93CF6FCB9EB8C1AEA3B722C28460,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906244Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:29.137{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35F6A998FE15E6E4BD09160C08C7DC6A,SHA256=AFB24AD01FC3491C0542BBA3D49E58032608EB367EB86E2236395C220DFF239C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:30.826{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F984D59D3438A023E8210B77F38DC385,SHA256=194451179C027249DBC2700F8950442CDD814F96A1DFE2B379F3BDCBE8EBD0F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906245Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:30.168{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CEEE3755E06732C371ECBBED9C81975,SHA256=3BFD36598EF2D4A64800A874733DD1AF541FC54E06D8DBA6898F1D63EBE84C66,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000107411055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:30.201{3BF36828-957E-618E-790F-01000000CC01}58284964C:\Windows\explorer.exe{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:30.201{3BF36828-957E-618E-790F-01000000CC01}58284964C:\Windows\explorer.exe{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:30.201{3BF36828-957E-618E-790F-01000000CC01}58283708C:\Windows\explorer.exe{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:30.201{3BF36828-957E-618E-790F-01000000CC01}58283708C:\Windows\explorer.exe{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:30.201{3BF36828-957E-618E-790F-01000000CC01}58283708C:\Windows\explorer.exe{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107411057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:31.857{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D67C204548844E3703385632744D2CA,SHA256=61D0F1A3FB60EAC55AACF56975285B30DE3CF0550FEF860E8108F7E7D9E1EE18,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906246Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:31.184{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=549462C9231FC6D36A971AB63ED3DEF3,SHA256=E57574CD7187F99CECC58D6A7E2B47469763973707B13EAD84E0F2811CA60A61,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:32.873{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1951F43807F56B0E00C57A3BA777848D,SHA256=76E367CD2CD21716078021AABC18B554F6693421461D741B259F8082244C475F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906248Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:32.200{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0213700963B5708BB93FF43E5A6F7851,SHA256=197F5A7042EA89525EC381E7FBD852741A4A202AEDD8B5EBBCF77DB670E5501D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055906247Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:10.735{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local63018-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055906249Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:33.215{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DE0394D65E83F2C51916DF02C325029,SHA256=1CC10D1A19D0E7E708A370B08E707D3A6400EBA45A42062C6FD6A48D95FD2326,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107411061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:41.675{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61709-false10.0.1.12-8000- 23542300x8000000000000000107411060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:33.264{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F998C70ACD90075C71EF8DF4CF58CA9,SHA256=A58AB87855A0FFCCFC9914C270FC7D79897BF06680EFEE37C41C086E159434D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:33.264{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=757895DFE7D652CC9E14FECB39B7B2E3,SHA256=04E3E16644ECA539F2F1488B4604AA1570CC8DC517C8BBDD736BB335B9D0F03A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:34.092{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0510B48D3912D17B5D4C7C740DE7BA23,SHA256=C54FF6F6E46BB051B880ECF5645CC909E01DDCCBE18FF60E8052EB542C3A642A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055906256Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:34.981{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F666-6183-1400-00000000CA01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906255Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:34.981{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F666-6183-1400-00000000CA01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906254Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:34.981{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F666-6183-1400-00000000CA01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906253Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:34.981{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F666-6183-1400-00000000CA01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906252Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:34.981{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F666-6183-1400-00000000CA01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906251Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:34.981{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F666-6183-1400-00000000CA01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055906250Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:34.231{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DC6453BDFB6AFE994EB3A9A2AE6D20B,SHA256=A18495F4B173893CEE46070107082E71353FDE43777C084CFD878B632E4C96EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055906264Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:35.715{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F666-6183-1400-00000000CA01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906263Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:35.715{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F666-6183-1400-00000000CA01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906262Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:35.715{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F666-6183-1400-00000000CA01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055906261Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:35.247{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A7ABCF2FC868A70B7C97F4D77E47C2F,SHA256=3303299BD3DC500CBB005FF732457C7FE6C0AF8A90FAB41FEFDC58BECB4FBE5B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:35.982{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F998C70ACD90075C71EF8DF4CF58CA9,SHA256=A58AB87855A0FFCCFC9914C270FC7D79897BF06680EFEE37C41C086E159434D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:35.107{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B2FE5A78DF1DB56BE2298459CBF3DFF,SHA256=47580F6B1627C99C2FEC8B250A694A70B95B163982FAB23EBA318533AD16C178,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055906260Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:35.090{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F666-6183-1400-00000000CA01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906259Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:35.090{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F666-6183-1400-00000000CA01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906258Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:35.090{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F666-6183-1400-00000000CA01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055906257Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:35.090{B81B27B7-F665-6183-0B00-00000000CA01}632NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Windows\System32\config\netlogon.ftlMD5=B4A51CAC53FFDCDA8D51BAA123B78754,SHA256=FB819C77768E00B51A6AEFD51B752BA2715C46564C49C974768763BCD4D8C267,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906266Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:36.247{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C50790A3F2A2F589C28B6F2104BC77AB,SHA256=DFB8BAA53BF8D3F41D0A90A943A8BCA3F5A76B25D58E7E90A486C526D79563D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107411072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:44.840{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal63024-false10.0.1.14win-dc-128.attackrange.local389ldap 354300x8000000000000000107411071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:44.832{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal63023-false10.0.1.14win-dc-128.attackrange.local389ldap 354300x8000000000000000107411070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:44.630{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal63021-false10.0.1.14win-dc-128.attackrange.local49666- 354300x8000000000000000107411069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:44.522{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal63020-false10.0.1.14win-dc-128.attackrange.local49672- 354300x8000000000000000107411068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:44.520{3BF36828-9799-6185-0D00-00000000CC01}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal63019-false10.0.1.14win-dc-128.attackrange.local135epmap 354300x8000000000000000107411067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:44.413{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local389-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal59014- 354300x8000000000000000107411066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:44.412{3BF36828-9797-6185-0B00-00000000CC01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local389-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal59013- 23542300x8000000000000000107411065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:36.139{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B91A0C3703EC6C567075AF376179812C,SHA256=4B06EF86B76E34AC953A88E876710927EE1C32013C6C03F50A74CFB759683775,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055906265Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:15.487{B81B27B7-F665-6183-0B00-00000000CA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-987.attackrange.local59013-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal389- 23542300x800000000000000055906273Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:37.356{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CD61BE0D9A03B3BDCFE5C9B92041A3E,SHA256=701FE47326F1CB25D3ED370E62E40E2932B92CFCCBAFCD2A73D1F75B3A5F168B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:37.154{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15DE9C625B681015DAA0EEF31A19EDC9,SHA256=93DE0775ED3AA39F2DB5691F0740F714714D1DCF5338436DBAEDC7820B4FBB8D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055906272Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:15.915{B81B27B7-F666-6183-1600-00000000CA01}1176C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local63024-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal389ldap 354300x800000000000000055906271Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:15.908{B81B27B7-F666-6183-1600-00000000CA01}1176C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local63023-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal389ldap 354300x800000000000000055906270Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:15.766{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local63022-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000055906269Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:15.705{B81B27B7-F665-6183-0B00-00000000CA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local63021-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49666- 354300x800000000000000055906268Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:15.597{B81B27B7-F665-6183-0B00-00000000CA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local63020-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49672- 354300x800000000000000055906267Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:15.595{B81B27B7-F665-6183-0B00-00000000CA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local63019-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal135epmap 23542300x800000000000000055906274Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:38.387{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A16E00ADB0B2D75C9C7E92B08B7864A,SHA256=15D11F261B3C2FC5595FAACE8B91DF637C8B6FDDDB3723D9E4FC8D86583FA8CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:38.185{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B81754B7F42979B2D0D32FABDED49A84,SHA256=1DF395A91CB1996C65A15F59766786C5E50FB88E784B30CD2691CF44DDF54D64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906275Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:39.403{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C1275DF2C7C78E6C77639FDB068E206,SHA256=4318E15FB9BAEB879B8397201CE4F5772FA46FC33975E0E11603371ED954B7F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107411077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.550{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61710-false10.0.1.12-8000- 23542300x8000000000000000107411076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:39.232{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2C4CF288F111201BFE2BE98D300DCEE,SHA256=8595B81CE056613076409AD8DE96C6A8D0A779EE157AE684DA1A7A3880B9A5B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:39.139{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68B5C83D75C3517AA51AEEFD6C4BF23E,SHA256=02315B9C6B14F422D5FBF4432E1F20D521BCDBC49F52E7B3F7416E36A798C21D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906276Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:40.418{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC7C9BFCEDEE788149DF0C31219BF24D,SHA256=96F77D40D156D7EF8F1C9FE32B2CFB0416C4852CDA05F4F0E451BABF160C923A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000107411084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:40.389{3BF36828-957E-618E-790F-01000000CC01}58284964C:\Windows\explorer.exe{3BF36828-97ED-6185-9600-00000000CC01}6080C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:40.389{3BF36828-957E-618E-790F-01000000CC01}58284964C:\Windows\explorer.exe{3BF36828-97ED-6185-9600-00000000CC01}6080C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:40.389{3BF36828-957E-618E-790F-01000000CC01}58283708C:\Windows\explorer.exe{3BF36828-97ED-6185-9700-00000000CC01}6088C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:40.389{3BF36828-957E-618E-790F-01000000CC01}58283708C:\Windows\explorer.exe{3BF36828-97ED-6185-9700-00000000CC01}6088C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:40.389{3BF36828-957E-618E-790F-01000000CC01}58283708C:\Windows\explorer.exe{3BF36828-97ED-6185-9700-00000000CC01}6088C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:40.389{3BF36828-957E-618E-790F-01000000CC01}58283708C:\Windows\explorer.exe{3BF36828-97ED-6185-9700-00000000CC01}6088C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000107411078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:40.232{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B01913A4F3DFE62D0E8B43C157111A,SHA256=8DEC934C9AF855D97F4B8737729DB715A659305F005E271DE367406F6D3DC43B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906277Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:41.450{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A3574B93060B419EDA8AD6F4B1021BC,SHA256=66A7ACD18D679834E791C4877F38D5DCB2ED5B70C06ED2E3CFCAAB05365F0A5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:41.248{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0B84B05336E2C80577F02CA9BFE25E6,SHA256=89F90AB2A7E62DB058397DDC99B6B6ABB981E7C7782599416DF1281798F54CE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906281Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:42.481{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28662CEA8B303DA80C2FAE407C9760B3,SHA256=0287D0796D535BD3BE479C3F50C8838E08D95326E00BD0510378819F03102D23,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107411118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:42.389{3BF36828-A5EE-618E-7211-01000000CC01}2160C:\Windows\System32\at.exeC:\Windows\System32\dsparse.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdsparse.dllMD5=E9B5EFC173FDD55C00B2F28B8BAC144B,SHA256=0CA602484CD0E2C67091FCD60091608BF746B1D05B353DB9805D1CAE0ED09D70,IMPHASH=6FD21A38F62935B130604FF29AA3AFC5trueMicrosoft WindowsValid 10341000x8000000000000000107411117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:42.389{3BF36828-9797-6185-0B00-00000000CC01}6361248C:\Windows\system32\lsass.exe{3BF36828-A5EE-618E-7211-01000000CC01}2160C:\Windows\system32\at.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:42.389{3BF36828-9797-6185-0B00-00000000CC01}6361248C:\Windows\system32\lsass.exe{3BF36828-A5EE-618E-7211-01000000CC01}2160C:\Windows\system32\at.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107411115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:42.389{3BF36828-A5EE-618E-7211-01000000CC01}2160C:\Windows\System32\at.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000107411114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:42.373{3BF36828-A5EE-618E-7211-01000000CC01}2160C:\Windows\System32\at.exeC:\Windows\System32\schedcli.dll10.0.14393.0 (rs1_release.160715-1616)Scheduler Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSCHEDCLI.DLLMD5=9565E2180ACA12EC2DAAF237568BB7FF,SHA256=450DEFF97BA11F320372CADABDFEE221D4821652DB14CBE2B2AC22DE6F212C2D,IMPHASH=A26C66511F0E88DB089794819D0C920BtrueMicrosoft WindowsValid 734700x8000000000000000107411113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:42.373{3BF36828-A5EE-618E-7211-01000000CC01}2160C:\Windows\System32\at.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000107411112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:42.373{3BF36828-A5EE-618E-7211-01000000CC01}2160C:\Windows\System32\at.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000107411111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:42.373{3BF36828-A5EE-618E-7211-01000000CC01}2160C:\Windows\System32\at.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000107411110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:42.373{3BF36828-A5EE-618E-7211-01000000CC01}2160C:\Windows\System32\at.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202,IMPHASH=0E9C1FA273A5EFD763FAC8E145B20C80trueMicrosoft WindowsValid 734700x8000000000000000107411109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:42.373{3BF36828-A5EE-618E-7211-01000000CC01}2160C:\Windows\System32\at.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107411108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:42.373{3BF36828-A5EE-618E-7211-01000000CC01}2160C:\Windows\System32\at.exeC:\Windows\System32\at.exe10.0.14393.0 (rs1_release.160715-1616)Schedule service command line interfaceMicrosoft® Windows® Operating SystemMicrosoft CorporationAT.EXEMD5=8C4291D714DDDA7EF9786CB7686E8B20,SHA256=A60D4E00E9DF07AC09C8C607239DB08BB7D167299572E4436A5B14CC2BF2AD26,IMPHASH=B1830396687D5196D97998D6FA5F2919trueMicrosoft WindowsValid 10341000x8000000000000000107411107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:42.373{3BF36828-9799-6185-1400-00000000CC01}10561612C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107411106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:42.373{3BF36828-A5EE-618E-7211-01000000CC01}2160C:\Windows\System32\at.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107411105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:42.373{3BF36828-A5EE-618E-7211-01000000CC01}2160C:\Windows\System32\at.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107411104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:42.373{3BF36828-A5EE-618E-7211-01000000CC01}2160C:\Windows\System32\at.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107411103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:42.373{3BF36828-A5EE-618E-7211-01000000CC01}2160C:\Windows\System32\at.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107411102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:42.373{3BF36828-A5EE-618E-7211-01000000CC01}2160C:\Windows\System32\at.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000107411101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:42.373{3BF36828-A5EE-618E-7211-01000000CC01}2160C:\Windows\System32\at.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107411100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:42.373{3BF36828-A5EE-618E-7211-01000000CC01}2160C:\Windows\System32\at.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107411099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:42.373{3BF36828-A5EE-618E-7211-01000000CC01}2160C:\Windows\System32\at.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107411098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:42.373{3BF36828-A5EE-618E-7211-01000000CC01}2160C:\Windows\System32\at.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000107411097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:42.373{3BF36828-97ED-6185-9700-00000000CC01}60884192C:\Windows\system32\conhost.exe{3BF36828-A5EE-618E-7211-01000000CC01}2160C:\Windows\system32\at.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107411096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:42.373{3BF36828-A5EE-618E-7211-01000000CC01}2160C:\Windows\System32\at.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107411095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:42.373{3BF36828-A5EE-618E-7211-01000000CC01}2160C:\Windows\System32\at.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107411094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:42.373{3BF36828-A5EE-618E-7211-01000000CC01}2160C:\Windows\System32\at.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000107411093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:42.357{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:42.357{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:42.357{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:42.357{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:42.357{3BF36828-97C9-6185-7D00-00000000CC01}49685004C:\Windows\system32\csrss.exe{3BF36828-A5EE-618E-7211-01000000CC01}2160C:\Windows\system32\at.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107411088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:42.357{3BF36828-97ED-6185-9600-00000000CC01}60806104C:\Windows\system32\cmd.exe{3BF36828-A5EE-618E-7211-01000000CC01}2160C:\Windows\system32\at.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107411087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:42.346{3BF36828-A5EE-618E-7211-01000000CC01}2160C:\Windows\System32\at.exe10.0.14393.0 (rs1_release.160715-1616)Schedule service command line interfaceMicrosoft® Windows® Operating SystemMicrosoft CorporationAT.EXEat \\10.0.1.15 14:00 C:\metE.exeC:\Users\Administrator\ATTACKRANGE\Administrator{3BF36828-97CB-6185-F909-080000000000}0x809f92HighMD5=8C4291D714DDDA7EF9786CB7686E8B20,SHA256=A60D4E00E9DF07AC09C8C607239DB08BB7D167299572E4436A5B14CC2BF2AD26,IMPHASH=B1830396687D5196D97998D6FA5F2919{3BF36828-97ED-6185-9600-00000000CC01}6080C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x8000000000000000107411086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:42.279{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E49FCCB0C651F4E363C0A0BAFBEB846E,SHA256=D277CEC710476545AF11177552F7DEAD887337FAF6F2FFAC8C21B28928CE059C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000055906280Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-11-12 17:35:42.418{B81B27B7-F666-6183-1600-00000000CA01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Schedule\NextAtJobIdDWORD (0x00000005) 11241100x800000000000000055906279Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.localT10532021-11-12 17:35:42.403{B81B27B7-F666-6183-1600-00000000CA01}1176C:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\At42021-11-12 17:35:42.403 11241100x800000000000000055906278Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:42.403{B81B27B7-F666-6183-1600-00000000CA01}1176C:\Windows\system32\svchost.exeC:\Windows\Tasks\At4.job2021-11-12 17:35:42.403 23542300x8000000000000000107411130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:43.670{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F27F67A20B3A37274760EAAD4BA4401,SHA256=00DFEF9C1172589A0E58C2DFEF57EA8C25491DAE31D1204D8251B25AF96F3698,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107411129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:51.843{3BF36828-9792-6185-0100-00000000CC01}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61714-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000107411128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:51.840{3BF36828-9792-6185-0100-00000000CC01}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61713-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000107411127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:51.837{3BF36828-9792-6185-0100-00000000CC01}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61712-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000107411126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:51.828{3BF36828-9792-6185-0100-00000000CC01}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61711-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000107411125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:51.819{3BF36828-9799-6185-1400-00000000CC01}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local58948-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domain 10341000x8000000000000000107411124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:43.452{3BF36828-957E-618E-790F-01000000CC01}58284964C:\Windows\explorer.exe{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:43.452{3BF36828-957E-618E-790F-01000000CC01}58284964C:\Windows\explorer.exe{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:43.452{3BF36828-957E-618E-790F-01000000CC01}58283708C:\Windows\explorer.exe{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:43.452{3BF36828-957E-618E-790F-01000000CC01}58283708C:\Windows\explorer.exe{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:43.452{3BF36828-957E-618E-790F-01000000CC01}58283708C:\Windows\explorer.exe{3BF36828-A166-618E-E910-01000000CC01}1096C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055906285Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:43.497{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEE3EC568F7BB8581C789DC56AB755D4,SHA256=7140F20963B14A3B69AF196B6B485B554FD93BDD50F26CAD2BE69C7DD5650734,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055906284Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:21.563{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local63025-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000055906283Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:43.434{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85A0ECFA16226FBDEAF794918A1B0005,SHA256=74F782C9D110857EB303BFB1F686B7A00499BD8A6E25D9F111275149BE3B59A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906282Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:43.434{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=962EBD560B78721973A9C9FF9237219D,SHA256=E6A1BBD8F3F4747DCE9553962FF6828A6D730D3894E7E644E571E4AAD723AE8F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:43.279{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C954082A3364681E4D4A8ADE6ADC4ADE,SHA256=2E8143712048E9A474C9B493DA1757DEA66F2BCC8EBE46ED9873194F9D3843D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x8000000000000000107411132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:52.660{3BF36828-98A5-6185-ED00-00000000CC01}2352C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61715-false10.0.1.12-8000- 23542300x8000000000000000107411131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:44.467{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E0DD138B488BF21146B21899CDE9AB4,SHA256=ACA1E1495B5B61A8E7F83D3C5E2988B89A3B4FD031B3E3E900E10ABD12FBD7B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906290Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:44.528{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EFD342106FABE26E7F7EB657BF6552F,SHA256=C99021DE78C8356A0A50E8431EB0849B57FFE6C65A21EA1168AE8B6DBC9AF4B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055906289Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:22.918{B81B27B7-F663-6183-0100-00000000CA01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal61714-false10.0.1.15win-host-987.attackrange.local445microsoft-ds 354300x800000000000000055906288Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:22.915{B81B27B7-F663-6183-0100-00000000CA01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal61713-false10.0.1.15win-host-987.attackrange.local445microsoft-ds 354300x800000000000000055906287Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:22.912{B81B27B7-F663-6183-0100-00000000CA01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal61712-false10.0.1.15win-host-987.attackrange.local445microsoft-ds 354300x800000000000000055906286Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:22.903{B81B27B7-F663-6183-0100-00000000CA01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal61711-false10.0.1.15win-host-987.attackrange.local445microsoft-ds 23542300x8000000000000000107411139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:45.467{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B189B0F1A91C8D6754FAECB450C8B9D5,SHA256=18D45DD7D65A44F4B788C9382F494CCF0EA9229A67BD04E4C51D57BE926B6487,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906291Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:45.559{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56F8484AB3F8D676A062EA85286117AC,SHA256=5F1D3C80B497EDEAE6E332D12ADE14ECC98B221BE95C9E79B688017D91BF9FF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x8000000000000000107411138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:45.310{3BF36828-957E-618E-790F-01000000CC01}58284964C:\Windows\explorer.exe{3BF36828-97ED-6185-9600-00000000CC01}6080C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:45.310{3BF36828-957E-618E-790F-01000000CC01}58284964C:\Windows\explorer.exe{3BF36828-97ED-6185-9600-00000000CC01}6080C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:45.310{3BF36828-957E-618E-790F-01000000CC01}58283708C:\Windows\explorer.exe{3BF36828-97ED-6185-9700-00000000CC01}6088C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:45.310{3BF36828-957E-618E-790F-01000000CC01}58283708C:\Windows\explorer.exe{3BF36828-97ED-6185-9700-00000000CC01}6088C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:45.310{3BF36828-957E-618E-790F-01000000CC01}58283708C:\Windows\explorer.exe{3BF36828-97ED-6185-9700-00000000CC01}6088C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:45.310{3BF36828-957E-618E-790F-01000000CC01}58283708C:\Windows\explorer.exe{3BF36828-97ED-6185-9700-00000000CC01}6088C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906318Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:46.793{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A5F2-618E-D542-01000000CA01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906317Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:46.793{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906316Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:46.793{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906315Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:46.793{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906314Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:46.793{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906313Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:46.793{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906312Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:46.793{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906311Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:46.793{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906310Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:46.793{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906309Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:46.793{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906308Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:46.793{B81B27B7-F665-6183-0500-00000000CA01}412532C:\Windows\system32\csrss.exe{B81B27B7-A5F2-618E-D542-01000000CA01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055906307Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:46.778{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A5F2-618E-D542-01000000CA01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055906306Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:46.779{B81B27B7-A5F2-618E-D542-01000000CA01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055906305Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:46.606{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=790CCA9E16B1B354D8CD53FA72B0D71C,SHA256=CA60215960D7A482B06DCD4127CE1A5C14D49D2C5DCB959E69AC612CE9F35195,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107411194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.732{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107411193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.732{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107411192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.732{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000107411191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.560{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107411190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.560{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107411189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.560{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107411188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.560{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107411187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.560{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107411186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.560{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107411185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.560{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107411184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.560{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107411183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.545{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000107411182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.545{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107411181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.545{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107411180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.545{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107411179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.545{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107411178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.545{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107411177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.545{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107411176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.545{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107411175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.545{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107411174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.545{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107411173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.545{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107411172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.545{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107411171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.545{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107411170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.545{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107411169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.545{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107411168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.545{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107411167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.545{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107411166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.545{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107411165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.545{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107411164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.545{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107411163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.545{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107411162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.545{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107411161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.545{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000107411160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.545{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107411159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.545{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000107411158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.545{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107411157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.545{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000107411156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.545{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000107411155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.545{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000107411154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.545{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107411153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.545{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107411152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.545{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000107411151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.545{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107411150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.545{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107411149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.545{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107411148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.545{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107411147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.545{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x8000000000000000107411146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.545{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.545{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.545{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.545{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.545{3BF36828-9797-6185-0500-00000000CC01}420412C:\Windows\system32\csrss.exe{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107411141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.545{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107411140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:46.530{3BF36828-A5F2-618E-7311-01000000CC01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000055906304Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:46.106{B81B27B7-F668-6183-3000-00000000CA01}32323252C:\Windows\system32\conhost.exe{B81B27B7-A5F2-618E-D442-01000000CA01}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906303Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:46.106{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906302Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:46.106{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906301Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:46.106{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906300Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:46.106{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906299Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:46.106{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906298Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:46.106{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906297Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:46.106{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906296Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:46.106{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906295Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:46.106{B81B27B7-F665-6183-0C00-00000000CA01}7325192C:\Windows\system32\svchost.exe{B81B27B7-F667-6183-2400-00000000CA01}1692C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055906294Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:46.106{B81B27B7-F665-6183-0500-00000000CA01}412532C:\Windows\system32\csrss.exe{B81B27B7-A5F2-618E-D442-01000000CA01}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055906293Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:46.106{B81B27B7-F667-6183-2200-00000000CA01}17483236C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-A5F2-618E-D442-01000000CA01}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055906292Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:46.091{B81B27B7-A5F2-618E-D442-01000000CA01}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-F665-6183-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055906321Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:47.626{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38EF01883CEC384176A66EECC3B327BE,SHA256=FE82D6204C7E5495895E74C5184A9F582628FB177A2EB4C1964BB07E26F6F65C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107411305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.940{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000107411304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.940{3BF36828-A5F3-618E-7511-01000000CC01}535696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107411303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.940{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107411302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.940{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000107411301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.846{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18EF82870C1FA71115D932D834A8CE66,SHA256=E01F64834378187656775F9AA08E476036D7ECDC1837D285543B2102897A8383,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107411300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.753{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107411299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.737{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107411298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.737{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107411297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.737{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107411296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.737{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107411295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.737{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107411294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.737{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107411293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.737{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107411292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.737{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107411291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.737{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107411290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.737{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107411289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.737{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107411288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.737{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107411287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.737{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107411286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.721{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107411285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.721{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107411284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.721{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107411283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.721{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107411282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.721{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107411281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.721{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107411280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.721{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107411279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.721{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107411278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.721{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107411277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.721{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107411276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.721{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107411275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.721{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107411274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.721{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107411273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.721{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107411272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.721{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107411271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.721{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107411270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.721{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107411269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.721{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107411268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.721{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x8000000000000000107411267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.721{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107411266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.721{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 10341000x8000000000000000107411265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.721{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107411264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.721{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107411263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.721{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107411262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.721{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107411261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.721{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000107411260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.721{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.721{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.721{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.721{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.721{3BF36828-9797-6185-0500-00000000CC01}420536C:\Windows\system32\csrss.exe{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107411255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.721{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107411254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.709{3BF36828-A5F3-618E-7511-01000000CC01}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107411253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.705{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23A09CC7F1BBBA6111F1E1034DD9BB13,SHA256=36CD4CF62C4BCA38DFF81875FFDB95890D32FFD04AD7D66F9557F7D4A20B47A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.580{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DBE155D2A07E11425C7C32DC2AEF014,SHA256=A4EBA9E177ED2244C74C52663CCB463BE91B82FCEBCC1C9F40D7E0205D7DD371,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906320Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:47.122{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85A0ECFA16226FBDEAF794918A1B0005,SHA256=74F782C9D110857EB303BFB1F686B7A00499BD8A6E25D9F111275149BE3B59A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000055906319Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:46.997{B81B27B7-A5F2-618E-D542-01000000CA01}3441980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-F667-6183-2200-00000000CA01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107411251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.330{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000107411250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.330{3BF36828-A5F3-618E-7411-01000000CC01}28563448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107411249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.330{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107411248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.330{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000107411247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.201{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+19544|C:\Windows\system32\taskmgr.exe+1a290|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.201{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+1e590|C:\Windows\system32\taskmgr.exe+1a25e|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.201{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+1ea6a|C:\Windows\system32\taskmgr.exe+1a0d0|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.201{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b1cf|C:\Windows\system32\taskmgr.exe+1a084|C:\Windows\system32\taskmgr.exe+19e20|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.201{3BF36828-9D19-618C-1ED4-00000000CC01}61284772C:\Windows\system32\taskmgr.exe{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\taskmgr.exe+b3bc|C:\Windows\system32\taskmgr.exe+b2b8|C:\Windows\system32\taskmgr.exe+19d0d|C:\Windows\system32\taskmgr.exe+1cc42|C:\Windows\system32\taskmgr.exe+14fa9|C:\Windows\system32\taskmgr.exe+2cdd3|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107411242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.139{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107411241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.123{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107411240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.123{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107411239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.123{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107411238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.123{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107411237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.123{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107411236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.123{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107411235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.123{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107411234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.123{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107411233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.123{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107411232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.123{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107411231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.123{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107411230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.123{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107411229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.123{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107411228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.123{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107411227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.123{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107411226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.107{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107411225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.107{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107411224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.107{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107411223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.107{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107411222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.107{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107411221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.107{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107411220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.107{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107411219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.107{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107411218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.107{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107411217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.107{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107411216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.107{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107411215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.107{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107411214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.107{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107411213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.107{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107411212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.107{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107411211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.107{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107411210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.107{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107411209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.107{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107411208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.107{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000107411207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.107{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107411206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.107{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107411205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.107{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107411204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.107{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107411203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.107{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x8000000000000000107411202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.107{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.107{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.107{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.107{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.107{3BF36828-9797-6185-0500-00000000CC01}420536C:\Windows\system32\csrss.exe{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107411197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.107{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107411196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.095{3BF36828-A5F3-618E-7411-01000000CC01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000107411195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:47.092{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=826E151DAC40D81DD7B3DF94F6C485DE,SHA256=D8BAEDBCD0A9B1280B2AF74971CFDF4F382B0937986D13F9E39ACB65B2614EBE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000055906323Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:48.641{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C961A278886B824E0E1FEA6C40FE5F3,SHA256=23905D011BA5D328E8BE77609627DF62A264818C54073BF48D7E1235BF5C74A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000055906322Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:26.721{B81B27B7-F671-6183-6900-00000000CA01}4040C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local63026-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000107411390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.893{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC46911F7DBECDA05E8C91D694B315C9,SHA256=3953C35ACA4B97887A4172CA90E62838A04934A47E0899F4EEDA966794EFDFDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x8000000000000000107411389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.737{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2AA5C6B46B44E1269734BCD747AE191A,SHA256=308C7B71A24A5A54D06D7188BB15448E287285C1C412694934CF8E7846B2F5AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107411388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.690{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000107411387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.690{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000107411386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.690{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000107411385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.471{3BF36828-98AB-6185-F600-00000000CC01}5748NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0488DE830F42A4BC9F5F8C0DE07A8D7,SHA256=BF14DE9ED464A79DC8E0FE90C90CAA625035316DEA95AA67B4BF0FCBCCD8FDB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107411384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.440{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107411383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.440{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107411382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.440{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107411381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.440{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107411380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.440{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107411379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.440{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107411378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.440{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107411377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.440{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x8000000000000000107411376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.424{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000107411375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.424{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000107411374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.424{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000107411373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.424{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107411372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.424{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107411371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.424{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000107411370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.424{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000107411369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.424{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000107411368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.424{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000107411367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.409{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000107411366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.409{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000107411365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.409{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107411364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.409{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000107411363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.409{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107411362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.409{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x8000000000000000107411361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.409{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000107411360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.409{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107411359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.409{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000107411358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.409{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000107411357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.409{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107411356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.409{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000107411355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.409{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x8000000000000000107411354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.409{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107411353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.409{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107411352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.409{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000107411351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.409{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000107411350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.409{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000107411349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.409{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000107411348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.409{3BF36828-989E-6185-C300-00000000CC01}59565960C:\Windows\system32\conhost.exe{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107411347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.409{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107411346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.409{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107411345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.409{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000107411344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.409{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107411343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.409{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x8000000000000000107411342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.409{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.409{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.409{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.409{3BF36828-9797-6185-0500-00000000CC01}420536C:\Windows\system32\csrss.exe{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107411338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.409{3BF36828-989D-6185-BF00-00000000CC01}29682452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107411337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.394{3BF36828-A5F4-618E-7711-01000000CC01}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-9797-6185-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-989D-6185-BF00-00000000CC01}2968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000107411336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.113{3BF36828-9797-6185-0B00-00000000CC01}6361248C:\Windows\system32\lsass.exe{3BF36828-A5F4-618E-7611-01000000CC01}5540C:\Windows\system32\at.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.113{3BF36828-9797-6185-0B00-00000000CC01}6361248C:\Windows\system32\lsass.exe{3BF36828-A5F4-618E-7611-01000000CC01}5540C:\Windows\system32\at.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107411334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.113{3BF36828-A5F4-618E-7611-01000000CC01}5540C:\Windows\System32\at.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000107411333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.113{3BF36828-A5F4-618E-7611-01000000CC01}5540C:\Windows\System32\at.exeC:\Windows\System32\dsparse.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdsparse.dllMD5=E9B5EFC173FDD55C00B2F28B8BAC144B,SHA256=0CA602484CD0E2C67091FCD60091608BF746B1D05B353DB9805D1CAE0ED09D70,IMPHASH=6FD21A38F62935B130604FF29AA3AFC5trueMicrosoft WindowsValid 734700x8000000000000000107411332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.113{3BF36828-A5F4-618E-7611-01000000CC01}5540C:\Windows\System32\at.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000107411331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.113{3BF36828-A5F4-618E-7611-01000000CC01}5540C:\Windows\System32\at.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000107411330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.113{3BF36828-A5F4-618E-7611-01000000CC01}5540C:\Windows\System32\at.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000107411329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.113{3BF36828-A5F4-618E-7611-01000000CC01}5540C:\Windows\System32\at.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202,IMPHASH=0E9C1FA273A5EFD763FAC8E145B20C80trueMicrosoft WindowsValid 734700x8000000000000000107411328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.096{3BF36828-A5F4-618E-7611-01000000CC01}5540C:\Windows\System32\at.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000107411327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.096{3BF36828-A5F4-618E-7611-01000000CC01}5540C:\Windows\System32\at.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000107411326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.096{3BF36828-A5F4-618E-7611-01000000CC01}5540C:\Windows\System32\at.exeC:\Windows\System32\schedcli.dll10.0.14393.0 (rs1_release.160715-1616)Scheduler Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSCHEDCLI.DLLMD5=9565E2180ACA12EC2DAAF237568BB7FF,SHA256=450DEFF97BA11F320372CADABDFEE221D4821652DB14CBE2B2AC22DE6F212C2D,IMPHASH=A26C66511F0E88DB089794819D0C920BtrueMicrosoft WindowsValid 734700x8000000000000000107411325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.096{3BF36828-A5F4-618E-7611-01000000CC01}5540C:\Windows\System32\at.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000107411324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.096{3BF36828-A5F4-618E-7611-01000000CC01}5540C:\Windows\System32\at.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000107411323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.096{3BF36828-A5F4-618E-7611-01000000CC01}5540C:\Windows\System32\at.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107411322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.096{3BF36828-A5F4-618E-7611-01000000CC01}5540C:\Windows\System32\at.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000107411321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.096{3BF36828-A5F4-618E-7611-01000000CC01}5540C:\Windows\System32\at.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x8000000000000000107411320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.096{3BF36828-A5F4-618E-7611-01000000CC01}5540C:\Windows\System32\at.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000107411319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.096{3BF36828-A5F4-618E-7611-01000000CC01}5540C:\Windows\System32\at.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000107411318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.096{3BF36828-A5F4-618E-7611-01000000CC01}5540C:\Windows\System32\at.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x8000000000000000107411317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.096{3BF36828-97ED-6185-9700-00000000CC01}60884192C:\Windows\system32\conhost.exe{3BF36828-A5F4-618E-7611-01000000CC01}5540C:\Windows\system32\at.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000107411316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.096{3BF36828-A5F4-618E-7611-01000000CC01}5540C:\Windows\System32\at.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000107411315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.096{3BF36828-A5F4-618E-7611-01000000CC01}5540C:\Windows\System32\at.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000107411314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.096{3BF36828-A5F4-618E-7611-01000000CC01}5540C:\Windows\System32\at.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000107411313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.096{3BF36828-A5F4-618E-7611-01000000CC01}5540C:\Windows\System32\at.exeC:\Windows\System32\at.exe10.0.14393.0 (rs1_release.160715-1616)Schedule service command line interfaceMicrosoft® Windows® Operating SystemMicrosoft CorporationAT.EXEMD5=8C4291D714DDDA7EF9786CB7686E8B20,SHA256=A60D4E00E9DF07AC09C8C607239DB08BB7D167299572E4436A5B14CC2BF2AD26,IMPHASH=B1830396687D5196D97998D6FA5F2919trueMicrosoft WindowsValid 10341000x8000000000000000107411312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.096{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.096{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.096{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.096{3BF36828-9799-6185-0C00-00000000CC01}8445280C:\Windows\system32\svchost.exe{3BF36828-97A9-6185-2A00-00000000CC01}2912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000107411308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.096{3BF36828-97C9-6185-7D00-00000000CC01}49683244C:\Windows\system32\csrss.exe{3BF36828-A5F4-618E-7611-01000000CC01}5540C:\Windows\system32\at.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107411307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.096{3BF36828-97ED-6185-9600-00000000CC01}60806104C:\Windows\system32\cmd.exe{3BF36828-A5F4-618E-7611-01000000CC01}5540C:\Windows\system32\at.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000107411306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:48.071{3BF36828-A5F4-618E-7611-01000000CC01}5540C:\Windows\System32\at.exe10.0.14393.0 (rs1_release.160715-1616)Schedule service command line interfaceMicrosoft® Windows® Operating SystemMicrosoft CorporationAT.EXEat \\10.0.1.15 1 /deleteC:\Users\Administrator\ATTACKRANGE\Administrator{3BF36828-97CB-6185-F909-080000000000}0x809f92HighMD5=8C4291D714DDDA7EF9786CB7686E8B20,SHA256=A60D4E00E9DF07AC09C8C607239DB08BB7D167299572E4436A5B14CC2BF2AD26,IMPHASH=B1830396687D5196D97998D6FA5F2919{3BF36828-97ED-6185-9600-00000000CC01}6080C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x800000000000000055906324Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-11-12 17:35:49.657{B81B27B7-F679-6183-7300-00000000CA01}3824NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB93CE11124041618B641EA8FAF7C1AE,SHA256=27A4123BB970793522FA7B548BE9E3CD588FC145C1B0011EDD63677B80A804AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x8000000000000000107411495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:49.815{3BF36828-A5F5-618E-7911-01000000CC01}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000107411494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:49.815{3BF36828-A5F5-618E-7911-01000000CC01}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000107411493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:49.799{3BF36828-A5F5-618E-7911-01000000CC01}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000107411492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:49.799{3BF36828-A5F5-618E-7911-01000000CC01}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000107411491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:49.799{3BF36828-A5F5-618E-7911-01000000CC01}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000107411490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:49.799{3BF36828-A5F5-618E-7911-01000000CC01}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x8000000000000000107411489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:49.799{3BF36828-A5F5-618E-7911-01000000CC01}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000107411488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-11-12 17:35:49.799{3BF36828-A5F5-618E-7911-01000000CC01}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD